<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Tue, May 31, 2016 at 3:25 PM Andreas Herz <<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 31/05/16 at 22:19, John Daly wrote:<br>
> Hi all,<br>
><br>
> I'm experiencing hard locks when I stop Suricata or try to restart<br>
> Suricata. Is anyone else experiencing this?<br>
<br>
Can you post the suricata.log or verbose output?<br>
--build-info as well?<br></blockquote><div><br></div><div>suricata.log</div><div>---------------</div><div></div>
<p class="inbox-inbox-p1"><span class="inbox-inbox-s1">31/5/2016 -- 22:17:17 - <Notice> - This is Suricata version 3.0.1 RELEASE<br></span><span style="line-height:1.5">31/5/2016 -- 22:17:24 - <Warning> - [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - Found deprecated eve-log setting "sensor-name". Please set sensor-name globally.<br></span><span style="line-height:1.5">31/5/2016 -- 22:17:24 - <Error> - [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Unable to set flags for iface "ens3f0": Operation not permitted<br></span><span style="line-height:1.5">31/5/2016 -- 22:17:37 - <Notice> - all 28 packet processing threads, 4 management threads initialized, engine started.</span></p><p class="inbox-inbox-p1"><span style="line-height:1.5"><br></span></p><p class="inbox-inbox-p1">--build-info<br>-----------------</p><div></div><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">This is Suricata version 3.0.1 RELEASE</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET NETMAP HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS<span class="inbox-inbox-Apple-converted-space"> </span></span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">SIMD support: SSE_4_2 SSE_4_1 SSE_3<span class="inbox-inbox-Apple-converted-space"> </span></span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">Atomic intrisics: 1 2 4 8 16 byte(s)</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">64-bits, Little-endian architecture</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">GCC version 5.3.1 20160406 (Red Hat 5.3.1-6), C version 199901</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">compiled with _FORTIFY_SOURCE=0</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">L1 cache line size (CLS)=64</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">thread local storage method: __thread</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">compiled with LibHTP v0.5.19, linked against LibHTP v0.5.19</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">Suricata Configuration:</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>AF_PACKET support: <span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>PF_RING support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>NFQueue support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>NFLOG support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>IPFW support:<span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Netmap support:<span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>DAG enabled: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Napatech enabled:<span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Unix socket enabled: <span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Detection enabled: <span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>libnss support:<span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>libnspr support: <span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>libjansson support:<span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>hiredis support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Prelude support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>PCRE jit:<span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>LUA support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>libluajit: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>libgeoip:<span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Non-bundled htp: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Old barnyard2 support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>CUDA enabled:<span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Hyperscan support: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Suricatasc install:<span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Unit tests enabled:<span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Debug output enabled:<span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Debug validation enabled:<span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Profiling enabled: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Profiling locks enabled: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Coccinelle / spatch: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1">Generic build parameters:</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Installation prefix: <span class="inbox-inbox-Apple-converted-space"> </span>/opt/suricata</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Configuration directory: <span class="inbox-inbox-Apple-converted-space"> </span>/opt/suricata/etc/suricata/</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Log directory: <span class="inbox-inbox-Apple-converted-space"> </span>/var//opt/suricata/log/suricata/</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>--prefix <span class="inbox-inbox-Apple-converted-space"> </span>/opt/suricata</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>--sysconfdir <span class="inbox-inbox-Apple-converted-space"> </span>/opt/suricata/etc</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>--localstatedir<span class="inbox-inbox-Apple-converted-space"> </span>/var//opt/suricata</span></p><p class="inbox-inbox-p2"><span class="inbox-inbox-s1"></span><br></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Host:<span class="inbox-inbox-Apple-converted-space"> </span>x86_64-unknown-linux-gnu</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Compiler:<span class="inbox-inbox-Apple-converted-space"> </span>gcc (exec name) / gcc (real)</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>GCC Protect enabled: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>GCC march native enabled:<span class="inbox-inbox-Apple-converted-space"> </span>yes</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>GCC Profile enabled: <span class="inbox-inbox-Apple-converted-space"> </span>no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>Position Independent Executable enabled: no</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>CFLAGS <span class="inbox-inbox-Apple-converted-space"> </span>-g -O2 -march=native</span></p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>PCAP_CFLAGS<span class="inbox-inbox-Apple-converted-space"> </span></span></p><p class="inbox-inbox-p1">
</p><p class="inbox-inbox-p1"><span class="inbox-inbox-s1"><span class="inbox-inbox-Apple-converted-space"> </span>SECCFLAGS<span class="inbox-inbox-Apple-converted-space"> </span></span></p><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Do you see anything else in your systemlos when this happens?<br></blockquote><div><br></div><div>Unfortunately there isn't much coming out of the systemd journal at the time of the hang, mostly just messages from netmap, see:</div><div><span style="line-height:1.5"><br></span></div><div></div>
<div><span class="inbox-inbox-s1" style="line-height:1.5">kernel: </span><span class="inbox-inbox-s2" style="line-height:1.5"><b>924.656725 [ 473] ixgbe_netmap_configure_srrctl bufsz: 4096 srrctl: 4</b></span><span style="line-height:1.5"> </span></div><div><span style="line-height:1.5"><br></span></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
> I'm running Suricata 3.0.1 with Netmap support on Fedora 23.<br>
<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
<br>
<br>
--<br>
Andreas Herz<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></blockquote></div></div>