I have had no events since the 16th of June. I have stopped IDS/IPS and restarted it via the GUI. I have reloaded the route10. Change the Notification level to Low. and I have no events displayed. However in the /a/suricata/log/suricata.log the system cant open ips.sock. there are errors. This I believe is used to communicate to other processes. An extract of the logfile vial the command TAIL
12786 - Suricata-Main] 2025-06-24 03:35:29 Notice: detect: rule reload complete
[12786 - Suricata-Main] 2025-06-25 03:35:28 Notice: detect: rule reload starting
[12786 - Suricata-Main] 2025-06-25 03:35:45 Info: detect: 1 rule files processed. 44254 rules successfully loaded, 0 rules failed, 0
[12786 - Suricata-Main] 2025-06-25 03:35:45 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[12786 - Suricata-Main] 2025-06-25 03:35:45 Info: detect: 44257 signatures processed. 1232 are IP-only rules, 4363 are inspecting packet payload, 38442 inspect application layer, 108 are decoder event only
[12786 - Suricata-Main] 2025-06-25 03:39:04 Notice: detect: rule reload complete
[12786 - Suricata-Main] 2025-06-25 06:14:48 Notice: suricata: Signal Received. Stopping engine.
[13139 - CS] 2025-06-25 06:14:49 Warning: logopenfile: Write error on Unix socket “/var/run/ips.sock”: Connection refused; reconnecting…
[13139 - CS] 2025-06-25 06:14:49 Warning: logopenfile: Reconnect failed: Connection refused (will keep trying)
[12786 - Suricata-Main] 2025-06-25 06:14:49 Info: suricata: time elapsed 176796.547s
Permissions for the ips.sock file are:-
srwxr-xr-x 1 suricata suricata 0 Oct 24 2021 ips.sock
I don’t want to do the old hack chmod 777
I have no idea how to fix this and any help would be gratefully received
Don
Hmm, unfortunately don’t have a fix for you but I can say the permissions on your ips.sock file seem to match a couple other routers I have access to that are running IPS without any errors. That error seems to be logged anyime IPS is turned off (at least from a couple quick tests I ran), so perhaps the Route10 isn’t receiving the signal to click IPS on? Just thinking out loud.
I don’t know if this will help, but this is at least what is in my log as a point of comparison. Here’s what I see when IPS turns on
[7568 - Suricata-Main] 2025-06-26 18:26:46 Notice: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: cpu: CPUs/cores online: 4
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: suricata: Setting engine mode to IDS mode by default
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: exception-policy: master exception-policy set to: auto
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: ioctl: br-lan: MTU 1500
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: ioctl: br-lan_4: MTU 1500
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: ioctl: br-lan_10: MTU 1500
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: ioctl: br-lan_100: MTU 1500
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: privs: dropped the caps for main thread
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: conf: Running in live mode, activating unix socket
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: logopenfile: Setting logging socket of non-blocking in live mode.
[7568 - Suricata-Main] 2025-06-26 18:26:46 Info: logopenfile: eve-log output device (unix_dgram) initialized: /var/run/ips.sock
[7568 - Suricata-Main] 2025-06-26 18:26:52 Info: detect: 1 rule files processed. 44000 rules successfully loaded, 0 rules failed, 0
[7568 - Suricata-Main] 2025-06-26 18:26:52 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[7568 - Suricata-Main] 2025-06-26 18:26:52 Info: detect: 44003 signatures processed. 197 are IP-only rules, 4361 are inspecting packet payload, 38467 inspect application layer, 108 are decoder event only
[7568 - Suricata-Main] 2025-06-26 18:28:02 Info: runmodes: br-lan: creating 4 threads
[7568 - Suricata-Main] 2025-06-26 18:28:05 Info: runmodes: br-lan_4: creating 4 threads
[7568 - Suricata-Main] 2025-06-26 18:28:05 Info: runmodes: br-lan_10: creating 4 threads
[7568 - Suricata-Main] 2025-06-26 18:28:05 Info: runmodes: br-lan_100: creating 4 threads
[7568 - Suricata-Main] 2025-06-26 18:28:12 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[7568 - Suricata-Main] 2025-06-26 18:28:13 Notice: threads: Threads created -> W: 16 FM: 1 FR: 1 Engine started
and then when it runs off
[7568 - Suricata-Main] 2025-06-26 18:31:31 Notice: suricata: Signal Received. Stopping engine.
[8773 - W#01-br-lan] 2025-06-26 18:31:32 Warning: logopenfile: Write error on Unix socket "/var/run/ips.sock": Connection refused; reconnecting...
[8773 - W#01-br-lan] 2025-06-26 18:31:32 Warning: logopenfile: Reconnect failed: Connection refused (will keep trying)
[7568 - Suricata-Main] 2025-06-26 18:31:32 Info: suricata: time elapsed 213.656s
[7568 - Suricata-Main] 2025-06-26 18:31:33 Info: counters: Alerts: 102011
[7568 - Suricata-Main] 2025-06-26 18:31:33 Warning: output-json: 59478 events were dropped due to slow or disconnected socket
[7568 - Suricata-Main] 2025-06-26 18:31:36 Notice: device: br-lan: packets: 1030636, drops: 606508 (58.85%), invalid chksum: 0
[7568 - Suricata-Main] 2025-06-26 18:31:36 Notice: device: br-lan_4: packets: 137, drops: 0 (0.00%), invalid chksum: 0
[7568 - Suricata-Main] 2025-06-26 18:31:36 Notice: device: br-lan_10: packets: 137, drops: 0 (0.00%), invalid chksum: 0
[7568 - Suricata-Main] 2025-06-26 18:31:36 Notice: device: br-lan_100: packets: 0, drops: 0 (0.00%), invalid chksum: 0```
1 Like
Thanks for the info. Hopefully one of the Alta engineers will see this and offer a solution. I was thinking of copping ips.sock to don.sock then rm ips.sock and restart suricata and see if suricata will recreate it upon restart. However reluctant to do that at this time as i am not around for a couple of weeks.
1 Like