<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0"><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">I have attached the results
using --pcap=snf0 utilizing a modified version of Michal's script.</span><br>
</p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Oisf-users <oisf-users-bounces@lists.openinfosecfoundation.org> on behalf of Michał Purzyński <michalpurzynski1@gmail.com><br>
<b>Sent:</b> Monday, August 27, 2018 4:42:19 PM<br>
<b>To:</b> Victor Julien<br>
<b>Cc:</b> oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: [Oisf-users] Myricom and Suricata</font>
<div> </div>
</div>
<meta content="text/html; charset=utf-8">
<div dir="auto">
<div></div>
<div>
<div><span style="background-color:rgba(255,255,255,0)">Here is a short script I use to run Suricata on Myricom. Not that this configuration makes any sense since 2016 you're better off with Intel X710.<br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">#!/bin/bash</span></div>
<span style="background-color:rgba(255,255,255,0)"><br>
CPU_NUM=`cat /proc/cpuinfo | grep -E 'model name' | wc -l`<br>
<br>
if [[ "${CPU_NUM}" -eq 32 ]]; then<br>
export SNF_NUM_RINGS=16<br>
elif [[ "${CPU_NUM}" -eq 56 ]]; then<br>
export SNF_NUM_RINGS=28<br>
else<br>
exit 1;<br>
</span>
<div><span style="background-color:rgba(255,255,255,0)">fi</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">(that part is just a nice to have, export SNF_NUM_RINGS to whatever you want)<br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">(change to match your deployment of course, keep the dataring 4x the descring size)</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<span style="background-color:rgba(255,255,255,0)">export LD_LIBRARY_PATH=/opt/snf/lib<br>
export SNF_DATARING_SIZE=<a href="tel:34359738368" dir="ltr">34359738368</a><br>
export SNF_DESCRING_SIZE=<a href="tel:8589934592" dir="ltr">8589934592</a><br>
</span>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">(Export this to get useful debug messages during startup. Does not impact the runtime performance)<br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">export SNF_DEBUG_MASK=0x3</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">/opt/suricata/bin/suricata -c /etc/nsm/suricata.yaml --pcap=snf0</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">If that fails, please send full log to the mailng list.</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">--<br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)">M.</span></div>
</div>
<div><br>
On Aug 27, 2018, at 2:00 PM, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div><span>On 27-08-18 22:26, Edgmand, Craig wrote:</span><br>
<blockquote type="cite"><span>I edited the pcap entry in suricata.yaml</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>pcap:</span><br>
</blockquote>
<blockquote type="cite"><span> - interface: p1p1</span><br>
</blockquote>
<blockquote type="cite"><span> threads: 16</span><br>
</blockquote>
<blockquote type="cite"><span> buffer-size: 2gb</span><br>
</blockquote>
<blockquote type="cite"><span> promisc: no</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>I ran variations of this command..</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span># SNF_NUM_RINGS=16 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296</span><br>
</blockquote>
<blockquote type="cite"><span>SNF_DESCRING_SIZE=1073741824 /opt/suricata/bin/suricata -i p1p1 -c</span><br>
</blockquote>
<blockquote type="cite"><span>/opt/suricata/etc/suricata/suricata.yaml -v --runmode=workers</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>After running these you look at myri_counters it shows no packets using</span><br>
</blockquote>
<blockquote type="cite"><span>the sniffer interface.</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span> SNF recv pkts: 0</span><br>
</blockquote>
<blockquote type="cite"><span> SNF drop ring full: 0</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>If you try to run the tests using the snf0 interface, suricata dies.</span><br>
</blockquote>
<span></span><br>
<span>How does it die? Any errors?</span><br>
<span></span><br>
<span></span><br>
<blockquote type="cite"><span>Any thoughts? I have reviewed the documentation from Myricom and</span><br>
</blockquote>
<blockquote type="cite"><span>Suricata as well.</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Thanks,</span><br>
</blockquote>
<span></span><br>
<span>What happens if you replace -i p1p1 with --pcap=p1p1 ?</span><br>
<span></span><br>
<span></span><br>
<span></span><br>
<span>-- </span><br>
<span>---------------------------------------------</span><br>
<span>Victor Julien</span><br>
<span><a href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.inliniac.net%2F&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633369743&sdata=k%2FvP6wqjuE7F%2Ffr4xC6nFPusKnaV4KpfjdTbmhFazvc%3D&reserved=0" originalsrc="http://www.inliniac.net/" shash="Wvx82jqO8uD4lmEIfczrDhUaEvydQb0CLayI1xtspwuexPuR81Jy1uG+FNn0HBJpc/BXH46nsqU2uhIK/KNCS0H4Mo/OjjomefI64F+1l7GW0hwCYX2fhCrpQuJkEe3PSjqn8EYn7UGCV3+SeD9QY2FK3if19si/QKh/ZfUJAEE=">http://www.inliniac.net/</a></span><br>
<span>PGP: <a href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.inliniac.net%2Fvictorjulien.asc&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633369743&sdata=SfkCYeTnI2qpO4Yq95Si7A9B9w8vkFcx4AvHTCTd9NE%3D&reserved=0" originalsrc="http://www.inliniac.net/victorjulien.asc" shash="W7vPBrZeoXp9uPLVy7/mNOmO5K484FNKHYy6UdUegGZ4bf6Ig6a0I+cTipTznpUMLVBnJW9p2/AkUb+D8FkgDk/BfftMHM+9CSmLzGNXBtxGw0tLqApXYjd4yCQtT3jlvkPViRaeX6PfVNHVaDLPsUHJnIzD5q9UcIpcw+HrjBc=">
http://www.inliniac.net/victorjulien.asc</a></span><br>
<span>---------------------------------------------</span><br>
<span></span><br>
<span>_______________________________________________</span><br>
<span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a></span><br>
<span>Site: <a href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuricata-ids.org&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633379747&sdata=Cfe2VmcrrHhjDUI9Ep5Z2Cjb65Kp96MD%2FjAL04dQKa0%3D&reserved=0" originalsrc="http://suricata-ids.org" shash="ph5uk586Mkv2viLQodx97V0e1/DcFG5BNxIC3eWCX6HqVCFUnBdkoXiXI5kJJSfifIOCJuYPQdFvMC90WlEzHo/6pVGw0DCNPcuWqQ7VpkJ3WgR5pCBsL2KUm0Pxf3La5+Xhnr7zZSAAbqdWKSWSSoR723su3Z5JjxsNatbaYwA=">
http://suricata-ids.org</a> | Support: <a href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuricata-ids.org%2Fsupport%2F&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633389756&sdata=7mkmoJAo68sn2d4ZKuktOVEqLqs695nHUfEW0%2BESuss%3D&reserved=0" originalsrc="http://suricata-ids.org/support/" shash="ug2EUnnNWmSvOvVm+R2pC0ax38oIjkBS57qwApwpKIb2cYLvCthMhD/Bwx+11DgG9fTJhoWxPejuefivjloDg2kLD/DFN8L8gz4gCVMQIwXg8TRTfPBG2DYDlsQWyCPqoQ0APJLL3pLrcn9iCfHRVDeHJaONkNjsYlrXTu7mTu4=">
http://suricata-ids.org/support/</a></span><br>
<span>List: <a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openinfosecfoundation.org%2Fmailman%2Flistinfo%2Foisf-users&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633399768&sdata=f5ZRYOEor%2B9SWki8y4o%2FO8D7ZAWQVDc27hLFjTyCf2w%3D&reserved=0" originalsrc="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" shash="TXfiw4z8szvw5Dsyv/CY8LTH0yRqxRMsZKJjgJHW6nBxOcS5arre1x5CAQU87ckezekhhiD+jFq/GH99ry1sx3QPRNNS6d6f0trnxHDjj3anDel8q6tcKU58GJKUDsFBJX52IBPO8egwWKxyMYXagiim04P3Dw/66R0XEpI44qY=">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br>
<span></span><br>
<span>Conference: <a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsuricon.net&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633409777&sdata=d%2BuslyyJsIj43xK3%2B2hUXN0x2t7X0A4%2FcT4Nv%2B5R2SA%3D&reserved=0" originalsrc="https://suricon.net" shash="an3TIhlOVCnd/jyxNomySaYx6Vyn+/t99LTJrQAGNwgWZWEYrumbbmhIHRQ5CkW6T1E3WTPclC1sOdFU6s7n5pfHguCAw24P7NiQkAhvwihCo4f80kd+zeTwsi/2fF9aGsueqy4DTcdlbaSlm0Z5Vqp2sTsBGVjWLkFyEiif6qc=">
https://suricon.net</a></span><br>
<span>Trainings: <a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsuricata-ids.org%2Ftraining%2F&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633419781&sdata=uBK8BPVPFj4zeI%2Fh%2BUEycKpxS1z2WXorc6Fl7MfbV90%3D&reserved=0" originalsrc="https://suricata-ids.org/training/" shash="xdgEevN0Ag7sB51jb9hAIIjSMF3yu9N6Z0mre+QPN2llXKINE9vGkZtW04x1Tqos2q6eE32PwGBzUhjhH6RTrQ1X7hvP99k9ef3cyVUL5LaNVSTZXOfW2dIJ6FDIIYlUNF1orhVI2QnPqTb76wPSfa92pTYn4xTPtc56MT1sGOU=">
https://suricata-ids.org/training/</a></span></div>
</blockquote>
</div>
</body>
</html>