<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Awesome news Victor. I would think a lot of people would be affected with active/stand by inspection configured.<div><br></div><div>Do you have an estimate when this might get done? And would this be only in Suricata 3.0 or in 2.1beta4 as well?</div><div><br></div><div>Thanks again.<br><br><div>> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE<br>> To: coolyasha@hotmail.com; oisf-users@lists.openinfosecfoundation.org<br>> From: lists@inliniac.net<br>> Date: Mon, 7 Mar 2016 15:12:00 +0100<br>> <br>> On 29-02-16 18:54, Yasha Zislin wrote:<br>> > I've reached out to PF_RING folks and they tried to provide a patch but<br>> > it was declined by Suricata.<br>> <br>> Actually, they disappeared after we suggested some improvements. Not<br>> quite the same as rejecting.<br>> <br>> Anyway, I talked to Alfredo and will merge his 'break loop' work soon.<br>> That will address the shutdown issue.<br>> <br>> Cheers,<br>> Victor<br>> <br>> > <br>> > https://github.com/inliniac/suricata/pull/1696<br>> > https://github.com/inliniac/suricata/commit/4c7d0ae0fb8a00a2b17803dc981cdf0cc841f381<br>> > <br>> > This patch supposed to fix the issue with no traffic on the thread.<br>> > <br>> >> To: oisf-users@lists.openinfosecfoundation.org<br>> >> From: lists@inliniac.net<br>> >> Date: Mon, 29 Feb 2016 17:24:43 +0100<br>> >> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE<br>> >><br>> >> On 29-02-16 15:52, Yasha Zislin wrote:<br>> >> > I have a weird problem. I have a bunch of sensors running in CentOS 6<br>> >> > with latest pf_ring and Suricata 2.1beta4.<br>> >> > Most of the sensors have HP fiber nics (10 gigs) for monitoring<br>> >> > interfaces but two of them have Intel 82599 (ixgbe).<br>> >> > One of these Intel sensors is active and the other is standby. Standby<br>> >> > barely has any traffic on monitored interface (about 400 packets a<br>> >> > minute which are all broadcast).<br>> >> > When I start suricata service on the standby, it is impossible to reload<br>> >> > rules or to stop it. On stop it eventually dies off with this message:<br>> >> > <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect<br>> >> > thread - "RxPFReth21". Killing engine<br>> >> ><br>> >> > I've flipped the active and standby to check if the server/hardware is<br>> >> > the problem. The issue moved to the other server when it became standby.<br>> >> ><br>> >> > I've installed the latest Intel Driver. I've set everything on it as per<br>> >> > article:<br>> >> ><br>> > http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html<br>> >> ><br>> >> > I've tried killing irqbalance and setting affinity. No luck.<br>> >> > I did however noticed that if i reduce number of threads to 1,<br>> >> > everything is working. But when it is more than one, the issue starts.<br>> >> ><br>> >> > Did anybody else have this issue with Intel cards and PF_RING???<br>> >><br>> >> This looks a lot like this issue here:<br>> >> https://redmine.openinfosecfoundation.org/issues/1716<br>> >><br>> >> The problem could be that some threads never get traffic.<br>> >><br>> >> --<br>> >> ---------------------------------------------<br>> >> Victor Julien<br>> >> http://www.inliniac.net/<br>> >> PGP: http://www.inliniac.net/victorjulien.asc<br>> >> ---------------------------------------------<br>> >><br>> >> _______________________________________________<br>> >> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> >> Suricata User Conference November 9-11 in Washington, DC:<br>> > http://oisfevents.net<br>> <br>> <br>> -- <br>> ---------------------------------------------<br>> Victor Julien<br>> http://www.inliniac.net/<br>> PGP: http://www.inliniac.net/victorjulien.asc<br>> ---------------------------------------------<br>> <br></div></div> </div></body>
</html>