<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div><div><span style="background-color: rgba(255, 255, 255, 0);">Here is a short script I use to run Suricata on Myricom. Not that this configuration makes any sense since 2016 you're better off with Intel X710.<br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">#!/bin/bash</span></div><span style="background-color: rgba(255, 255, 255, 0);"><br>CPU_NUM=`cat /proc/cpuinfo | grep -E 'model name' | wc -l`<br><br>if [[ "${CPU_NUM}" -eq 32 ]]; then<br>    export SNF_NUM_RINGS=16<br>elif [[ "${CPU_NUM}" -eq 56 ]]; then<br>    export SNF_NUM_RINGS=28<br>else<br>    exit 1;<br></span><div><span style="background-color: rgba(255, 255, 255, 0);">fi</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">(that part is just a nice to have, export SNF_NUM_RINGS to whatever you want)<br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">(change to match your deployment of course, keep the dataring 4x the descring size)</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><span style="background-color: rgba(255, 255, 255, 0);">export LD_LIBRARY_PATH=/opt/snf/lib<br>export SNF_DATARING_SIZE=<a href="tel:34359738368" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="0">34359738368</a><br>export SNF_DESCRING_SIZE=<a href="tel:8589934592" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="1">8589934592</a><br></span><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">(Export this to get useful debug messages during startup. Does not impact the runtime performance)<br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">export SNF_DEBUG_MASK=0x3</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">/opt/suricata/bin/suricata -c /etc/nsm/suricata.yaml --pcap=snf0</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">If that fails, please send full log to the mailng list.</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">--<br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">M.</span></div></div><div><br>On Aug 27, 2018, at 2:00 PM, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On 27-08-18 22:26, Edgmand, Craig wrote:</span><br><blockquote type="cite"><span>I edited the pcap entry in suricata.yaml</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>pcap:</span><br></blockquote><blockquote type="cite"><span>  - interface: p1p1</span><br></blockquote><blockquote type="cite"><span>    threads: 16</span><br></blockquote><blockquote type="cite"><span>    buffer-size: 2gb</span><br></blockquote><blockquote type="cite"><span>    promisc: no</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I ran variations of this command..</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span># SNF_NUM_RINGS=16 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296</span><br></blockquote><blockquote type="cite"><span>SNF_DESCRING_SIZE=1073741824 /opt/suricata/bin/suricata -i p1p1 -c</span><br></blockquote><blockquote type="cite"><span>/opt/suricata/etc/suricata/suricata.yaml -v --runmode=workers</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>After running these you look at myri_counters it shows no packets using</span><br></blockquote><blockquote type="cite"><span>the sniffer interface.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>                     SNF recv pkts:                    0</span><br></blockquote><blockquote type="cite"><span>                SNF drop ring full:                    0</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>If you try to run the tests using the snf0 interface, suricata dies.</span><br></blockquote><span></span><br><span>How does it die? Any errors?</span><br><span></span><br><span></span><br><blockquote type="cite"><span>Any thoughts?  I have reviewed the documentation from Myricom and</span><br></blockquote><blockquote type="cite"><span>Suricata as well.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Thanks,</span><br></blockquote><span></span><br><span>What happens if you replace -i p1p1 with --pcap=p1p1 ?</span><br><span></span><br><span></span><br><span></span><br><span>-- </span><br><span>---------------------------------------------</span><br><span>Victor Julien</span><br><span><a href="http://www.inliniac.net/">http://www.inliniac.net/</a></span><br><span>PGP: <a href="http://www.inliniac.net/victorjulien.asc">http://www.inliniac.net/victorjulien.asc</a></span><br><span>---------------------------------------------</span><br><span></span><br><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote></body></html>