<div dir="ltr">Hi Victor,<div><br></div><div>I just tested a sample configuration against that PR on<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> Ubuntu 16.04 LTS</span> and I got a strange error.</div><div><br></div><div>Here is my sample config (in shorts):</div><div><br></div><div><div><font face="monospace, monospace" size="1">af-packet:</font></div><div><font face="monospace, monospace" size="1"> - interface: eno2</font></div><div><font face="monospace, monospace" size="1"> threads: 1</font></div><div><font face="monospace, monospace" size="1"> cluster-id: 91</font></div><div><font face="monospace, monospace" size="1"> cluster-type: cluster_flow</font></div><div><font face="monospace, monospace" size="1"><br></font></div><div><font face="monospace, monospace" size="1"> - interface: enp2s0f0</font></div><div><font face="monospace, monospace" size="1"> threads: 1</font></div><div><font face="monospace, monospace" size="1"> cluster-id: 92</font></div><div><font face="monospace, monospace" size="1"> cluster-type: cluster_flow</font></div></div><div><font face="monospace, monospace" size="1"><br></font></div><div><div><font face="monospace, monospace" size="1">multi-detect:</font></div><div><font face="monospace, monospace" size="1"> enabled: yes</font></div><div><font face="monospace, monospace" size="1"> selector: device</font></div><div><font face="monospace, monospace" size="1"> loaders: 2</font></div><div><font face="monospace, monospace" size="1"> tenants:</font></div><div><font face="monospace, monospace" size="1"> - id: 1</font></div><div><font face="monospace, monospace" size="1"> yaml: eno1.yaml</font></div><div><font face="monospace, monospace" size="1"> - id: 2</font></div><div><font face="monospace, monospace" size="1"> yaml: enp2s0f0.yaml</font></div><div><font face="monospace, monospace" size="1"><br></font></div><div><font face="monospace, monospace" size="1"> mappings:</font></div><div><font face="monospace, monospace" size="1"> - device: eno2</font></div><div><font face="monospace, monospace" size="1"> tenant-id: 1</font></div><div><font face="monospace, monospace" size="1"> - device: enp2s0f0</font></div><div><font face="monospace, monospace" size="1"> tenant-id: 2</font></div></div><div><font face="monospace, monospace"><br></font></div><div><span style="font-family:arial,helvetica,sans-serif">Whenever I test it with multi-detect enabled I got an error reporting that mapping device does not esixts.</span></div><div><div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace"><br class="gmail-Apple-interchange-newline">network-sensor suricata #<span> </span><b>suricata -c suricata.yaml -T</b></font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace">[11681] 7/8/2018 -- 12:56:53 - (suricata.c:1900) <Info> (ParseCommandLine) -- Running suricata under test mode</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace">[11681] 7/8/2018 -- 12:56:53 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 7c884e0)</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace">[11681] 7/8/2018 -- 12:56:53 - (detect-engine.c:2967) <Warning> (<wbr>DetectEngineMultiTenantSetupLo<wbr>adLivedevMappings) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] - device eno2 not found</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace">[11681] 7/8/2018 -- 12:56:53 - (detect-engine.c:3148) <Error> (DetectEngineMultiTenantSetup) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] - no multi-detect mappings defined</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace">[11681] 7/8/2018 -- 12:56:53 - (suricata.c:2572) <Error> (PostConfLoadedDetectSetup) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - initializing multi-detect detection engine contexts failed.</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace">network-sensor suricata #<span> </span><b>ip a | grep eno2 </b> </font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font size="1" face="monospace, monospace">7: eno2: <BROADCAST,MULTICAST,NOARP,<wbr>PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000</font></div><br></div><div>If I put <i>enp2s0f0</i> as first device in list I got the same error:</div><div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1"><br class="gmail-Apple-interchange-newline">network-sensor suricata #<span> </span><b>suricata -c suricata.yaml -T</b></font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1">[6611] 7/8/2018 -- 12:51:12 - (suricata.c:1900) <Info> (ParseCommandLine) -- Running suricata under test mode</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1">[6611] 7/8/2018 -- 12:51:12 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 7c884e0)</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1">[6611] 7/8/2018 -- 12:51:12 - (detect-engine.c:2967) <Warning> (<wbr>DetectEngineMultiTenantSetupLo<wbr>adLivedevMappings) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] - device enp2s0f0 not found</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1">[6611] 7/8/2018 -- 12:51:12 - (detect-engine.c:3148) <Error> (DetectEngineMultiTenantSetup) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] - no multi-detect mappings defined</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1">[6611] 7/8/2018 -- 12:51:12 - (suricata.c:2572) <Error> (PostConfLoadedDetectSetup) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - initializing multi-detect detection engine contexts failed.</font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1">network-sensor suricata #<span> </span><b>ip a | grep enp2s0f0 </b></font></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace" size="1">2: enp2s0f0: <BROADCAST,MULTICAST,NOARP,<wbr>PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000</font></div><br></div><div>But if I comment out multi-detect section everything works fine (except flowbits, but this is not what I was testing):</div><div><br></div><div><font face="monospace, monospace" size="1">network-sensor suricata # <b>suricata -c suricata.yaml -T</b></font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:28 - (suricata.c:1900) <Info> (ParseCommandLine) -- Running suricata under test mode</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:28 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 7c884e0)</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit '<a href="http://et.http.PK" target="_blank">et.http.PK</a>' is checked but not set. Checked in 2019835 and 3 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit '<a href="http://ET.wininet.UA" target="_blank">ET.wininet.UA</a>' is checked but not set. Checked in 2021312 and 0 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.<wbr>request' is checked but not set. Checked in 2022653 and 0 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 11 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs</font></div><div><font face="monospace, monospace" size="1">[12152] 7/8/2018 -- 12:57:32 - (suricata.c:2983) <Notice> (main) -- Configuration provided was successfully loaded. Exiting.</font></div></div><div><br></div><div>I assumed "device" for multi-tenancy has the same meaning that "interface" has for capturing technologies. Tell me if I missed something.</div><div><br></div><div>Thanks,</div><div>Davide</div><div><div class="gmail_extra"><br><div class="gmail_quote">2018-08-07 11:47 GMT+02:00 Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="m_-1953696987920333730gmail-">On 07-08-18 09:40, Davide Setti wrote:<br>
> Thank you all.<br>
> <br>
> Today I looked better at redmine and I found this issue:<br>
> "multi-tenancy: add 'device' selector"<br>
> <a href="https://redmine.openinfosecfoundation.org/issues/2567" rel="noreferrer" target="_blank">https://redmine.openinfosecfou<wbr>ndation.org/issues/2567</a><br>
> <br>
> It seems to be what I was looking for, but it will be part of 4.1rc2 so<br>
> we must wait a little bit...<br>
<br>
</span>I just published <a href="https://github.com/OISF/suricata/pull/3447" rel="noreferrer" target="_blank">https://github.com/OISF/surica<wbr>ta/pull/3447</a><br>
<br>
Can you test this for your usecase?<br>
<br>
Also see<br>
<a href="https://github.com/OISF/suricata/blob/7c884e0850a2fe7681ec34f91748c029998f91b0/doc/userguide/configuration/multi-tenant.rst#device" rel="noreferrer" target="_blank">https://github.com/OISF/surica<wbr>ta/blob/7c884e0850a2fe7681ec34<wbr>f91748c029998f91b0/doc/<wbr>userguide/configuration/multi-<wbr>tenant.rst#device</a><br>
<br>
Thanks!<br>
Victor<br></blockquote></div><br clear="all"><div><br></div>-- <br><div class="m_-1953696987920333730gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius:0px"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div>
</div></div></div>