[Oisf-users] Suricata IPS with 8 threads

Hariharan Thantry thantry at gmail.com
Tue Jan 3 17:55:18 EST 2012


The multiqueue option in Suricata IPS (1.2beta1) seems to have issues
when started with 8 threads (and 8 queues for iptables with the
queue-balance option). The default of single queue works fine, but
with --runmode worker, and no changes to config file (other than
loading the changed rules from emerging threats), the engine doesn't
seem to be able to forward packets. With a single queue, it works
fine. Suricata is running on a bridged setup, with 2 dual-ported 82599
NICs, forwarding packets between 2 independent networks. When trying
to stop Suricata, I seem to get an error as well:

^C^C^C^C[2800] 3/1/2012 -- 14:50:56 - (suricata.c:1652) <Error> (main)
-- [ERRCODE: SC_ERR_SHUTDOWN(186)] - shutdown taking too long, likely
a bug! (49 != 50).

It looks like some lock issue, when starting so many threads, but I
can't be sure. Has anyone tried the new Suricata release on a
multi-homed host functioning as a bridge? Is there any documentation
on the unit tests available in Suricata for IPS?

Thanks,
Hari


More information about the Oisf-users mailing list