<div dir="ltr">The first problem i would address is "<span style="font-size:12.8000001907349px">4/5/2015 -- 16:27:03 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">compilation error syntax error" seems like this is hindering suricata from start. What is your BPF filter?</span><div><span style="font-size:12.8000001907349px"><br></span><div class="gmail_extra"><br><div class="gmail_quote">2015-05-05 1:40 GMT+02:00 James Moe <span dir="ltr"><<a href="mailto:jimoe@sohnen-moe.com" target="_blank">jimoe@sohnen-moe.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
suricata 2.0.7<br>
linux 3.16.7-21-desktop x86_64<br>
<br>
  I created a shell script to start and stop suricata.<br>
  The stop function works fine.<br>
  Starting, however, does not. And I do not see what the difference is.<br>
<br>
- ----[ command ]----<br>
/usr/local/bin/suricata -v --pidfile /usr/local/var/run/suricata.pid -c<br>
/usr/local/etc/suricata/suricata.yaml -i eth0 | tee<br>
/usr/local/var/log/suricata/verbose.log &<br>
- ----[ end ]----<br>
<br>
- ----[ started from script ]----<br>
4/5/2015 -- 16:27:03 - <Info> - Found an MTU of 1500 for 'eth0'<br>
4/5/2015 -- 16:27:03 - <Info> - Set snaplen to 1516 for 'eth0'<br>
<br>
4/5/2015 -- 16:27:03 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf<br>
compilation error syntax error<br>
4/5/2015 -- 16:27:03 - <Info> - RunModeIdsPcapAutoFp initialised<br>
4/5/2015 -- 16:27:03 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -<br>
thread "RxPcapeth01" closed on initialization.<br>
4/5/2015 -- 16:27:03 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -<br>
Engine initialization failed, aborting...<br>
- ----[ end ]----<br>
<br>
<br>
- ----[ started from command line ]----<br>
4/5/2015 -- 16:30:03 - <Info> - Found an MTU of 1500 for 'eth0'<br>
4/5/2015 -- 16:30:03 - <Info> - Set snaplen to 1516 for 'eth0'<br>
<br>
4/5/2015 -- 16:30:03 - <Info> - Generic Receive Offload is unset on eth0<br>
4/5/2015 -- 16:30:03 - <Info> - Large Receive Offload is unset on eth0<br>
4/5/2015 -- 16:30:03 - <Info> - RunModeIdsPcapAutoFp initialised<br>
4/5/2015 -- 16:30:03 - <Notice> - all 7 packet processing threads, 3<br>
management threads initialized, engine started.<br>
- ----[ end ]----<br>
<br>
- ----[ script ]----<br>
SURI="/usr/local/bin/suricata";<br>
LOG="/usr/local/var/log/suricata";<br>
PID="/usr/local/var/run/suricata.pid";<br>
<br>
OPT1="-c /usr/local/etc/suricata/suricata.yaml";<br>
OPT2="--pidfile /usr/local/var/run/suricata.pid";<br>
OPT3="-v"<br>
<br>
case $1 in<br>
    stop)<br>
        CMD="No PID found";<br>
        if [ -f ${PID} ]<br>
        then<br>
            CMD="/usr/bin/kill $(cat ${PID})"<br>
            ${CMD}<br>
        fi<br>
        ;;<br>
<br>
    start) CMD="${SURI} ${OPT3} ${OPT2} ${OPT1} -i eth0 | tee<br>
${LOG}/verbose.log &"<br>
        ethtool -K eth0 gro off<br>
        # ethtool -K eth0 lro on<br>
        echo ${CMD}<br>
        ${CMD}<br>
        ;;<br>
<br>
    *) CMD='echo "Usage: suricata-ctl.sh {start |  stop}"';;<br>
esac<br>
<br>
echo ${CMD}<br>
exit 0;<br>
- ----[ end ]----<br>
<br>
<br>
<br>
- --<br>
James Moe<br>
moe dot james at sohnen-moe dot com<br>
520.743.3936<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iEYEARECAAYFAlVIA20ACgkQzTcr8Prq0ZNGRQCglhtuGEmO4xWP5jGGcGKLczwV<br>
eb0AoINojJXZFlowX4lGrm/Av5ZrnpeQ<br>
=2cZO<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
</blockquote></div><br></div></div></div>