[Discussion] Suricata with PF_RING 4.7
Mohsen Saeedi
mohsen.saeedi at gmail.com
Sat Sep 17 20:09:47 UTC 2011
What is AF_PACKET? I didn't hear about it. but i think suricata is
more than better to snort. it has a good performance.
Thanks
On Sun, Sep 18, 2011 at 12:18 AM, Victor Julien <lists at inliniac.net> wrote:
>
> I'm not aware of anyone trying it yet, so I don't know.
>
> Btw, if you use the git version you can also use AF_PACKET which seems
> to perform nicely as well.
>
> Cheers,
> Victor
>
> On 09/17/2011 09:46 PM, Mohsen Saeedi wrote:
> > Do you know about compatibility between PF_RING-5.0.0 and Suricata git version?
> >
> > Thanks in advance for your graphs.
> >
> > On Sun, Sep 18, 2011 at 12:12 AM, Victor Julien <lists at inliniac.net> wrote:
> >>
> >> Git version is definitely better for perf. See for example:
> >> http://home.regit.org/2011/06/about-suricata-performance-boost-between-1-0-and-1-1beta2/
> >>
> >> Cheers,
> >> Victor
> >>
> >> On 09/17/2011 08:52 PM, Mohsen Saeedi wrote:
> >>> Thanks. Can i use suricata 1.0.5? which version of PF_RING is compatible
> >>> with suricata 1.0.4 or 1.0.5?
> >>> Is suricata git version stable for large Bandwidth?
> >>> Thanks in advance
> >>>
> >>> On Sat, Sep 17, 2011 at 11:18 PM, Will Metcalf <william.metcalf at gmail.com>wrote:
> >>>
> >>>> PF_RING 4.7 added the requirement to call pfring_enable_ring(), which
> >>>> was not previously required nor in the 1.0.4 code base. So you have
> >>>> two options, either use an older version of PF_RING a newer version of
> >>>> suricata. You can get the latest version of the code by issuing the
> >>>> following command.
> >>>>
> >>>> git clone git://phalanx.openinfosecfoundation.org/oisf.git
> >>>>
> >>>> Regards,
> >>>>
> >>>> Will
> >>>>
> >>>> On Sat, Sep 17, 2011 at 11:50 AM, Mohsen Saeedi <mohsen.saeedi at gmail.com>
> >>>> wrote:
> >>>>> Hi
> >>>>> I make suricata 1.0.4 rpm and pfring 4.7 rpm and installed them with
> >>>>> new pcap lib on the centos 6.0.but when i started suricata with below
> >>>>> command it report some error about pfring receive! please help me.
> >>>>> suricata -c /etc/suricata/suricata.yaml --pfring-int=eth1
> >>>>>
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
> >>>>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
> >>>>> (ReceivePfringThreadInit) -- going to use interface eth1
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
> >>>>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
> >>>>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
> >>>>> error -1
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> >>>>> [11847] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
> >>>>> Recv:0 Drop:0 (-nan%).
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
> >>>>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
> >>>>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> >>>>>
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
> >>>>> (ReceivePfringThreadInit) -- going to use interface eth1
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
> >>>>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
> >>>>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
> >>>>> error -1
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> >>>>> [11848] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
> >>>>> Recv:0 Drop:0 (-nan%).
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
> >>>>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> >>>>>
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
> >>>>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
> >>>>> (ReceivePfringThreadInit) -- going to use interface eth1
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
> >>>>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
> >>>>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
> >>>>> error -1
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> >>>>> [11849] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
> >>>>> Recv:0 Drop:0 (-nan%).
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
> >>>>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> >>>>>
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
> >>>>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
> >>>>> (ReceivePfringThreadInit) -- going to use interface eth1
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
> >>>>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
> >>>>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
> >>>>> error -1
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> >>>>> [11850] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
> >>>>> Recv:0 Drop:0 (-nan%).
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
> >>>>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> >>>>>
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
> >>>>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
> >>>>> (ReceivePfringThreadInit) -- going to use interface eth1
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
> >>>>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:292) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring_set_cluster-id 99 set successfully
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:210) <Error>
> >>>>> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv
> >>>>> error -1
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:313) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 0, bytes 0
> >>>>> [11851] 17/9/2011 -- 21:17:48 - (source-pfring.c:317) <Info>
> >>>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring Total:0
> >>>>> Recv:0 Drop:0 (-nan%).
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (tm-threads.c:1349) <Info>
> >>>>> (TmThreadRestartThread) -- thread "ReceivePfring" restarted
> >>>>>
> >>>>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:248) <Info>
> >>>>> (ReceivePfringThreadInit) -- Going to use cluster-id 99
> >>>>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:255) <Info>
> >>>>> (ReceivePfringThreadInit) -- going to use interface eth1
> >>>>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:269) <Info>
> >>>>> (ReceivePfringThreadInit) -- Using PF_RING v.4.7.1
> >>>>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:277) <Info>
> >>>>> (ReceivePfringThreadInit) -- pfring cluster type cluster_flow
> >>>>> [11852] 17/9/2011 -- 21:17:48 - (source-pfring.c:289) <Error>
> >>>>> (ReceivePfringThreadInit) -- [ERRCODE:
> >>>>> SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned
> >>>>> -1 for cluster-id: 99
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (suricata.c:1165) <Info> (main) --
> >>>>> signal received
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (suricata.c:1195) <Info> (main) --
> >>>>> time elapsed 0s
> >>>>> [11841] 17/9/2011 -- 21:17:48 - (flow.c:1107) <Info>
> >>>>> (FlowManagerThread) -- 0 new flows, 0 established flows were timed
> >>>>> out, 0 flows in closed state
> >>>>> [11829] 17/9/2011 -- 21:17:48 - (stream-tcp-reassemble.c:291) <Info>
> >>>>> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly
> >>>>> engine 11292544 (in use 0)
> >>>>> [11829] 17/9/2011 -- 21:17:49 - (stream-tcp.c:487) <Info>
> >>>>> (StreamTcpFreeConfig) -- Max memuse of stream engine 5505024 (in use
> >>>>> 0)
> >>>>> [11829] 17/9/2011 -- 21:17:49 - (detect.c:2820) <Info>
> >>>>> (SigAddressCleanupStage1) -- cleaning up signature grouping
> >>>>> structure...
> >>>>> [11829] 17/9/2011 -- 21:17:49 - (detect.c:2835) <Info>
> >>>>> (SigAddressCleanupStage1) -- cleaning up signature grouping
> >>>>> structure... done
> >>>>>
> >>>>> --
> >>>>> Seyyed Mohsen Saeedi
> >>>>> سید محسن سعیدی
> >>>>> _______________________________________________
> >>>>> Discussion mailing list
> >>>>> Discussion at openinfosecfoundation.org
> >>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Discussion mailing list
> >>> Discussion at openinfosecfoundation.org
> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >>
> >>
> >> --
> >> ---------------------------------------------
> >> Victor Julien
> >> http://www.inliniac.net/
> >> PGP: http://www.inliniac.net/victorjulien.asc
> >> ---------------------------------------------
> >>
> >> _______________________________________________
> >> Discussion mailing list
> >> Discussion at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >
> >
> >
> > --
> > Seyyed Mohsen Saeedi
> > سید محسن سعیدی
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
--
Seyyed Mohsen Saeedi
سید محسن سعیدی
More information about the Discussion
mailing list