[Oisf-users] vlan on bond if problem
Victor Julien
victor at inliniac.net
Tue May 22 08:16:13 UTC 2012
Great!
We'll have a look at the bpf command line thing.
Thanks for your report!
Cheers,
Victor
On 05/22/2012 10:14 AM, Geert Alberghs wrote:
> Yes.
>
> On 22 May 2012 10:12, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
> Does it work with the large ruleset as well now?
>
> On 05/22/2012 10:09 AM, Geert Alberghs wrote:
> > Hi Victor,
> >
> > Works like a charm now, including the large ruleset. We had the
> > following in our yaml before:
> >
> > - interface: bond0
> > bpf-filter: "not vlan"
> > - interface: vlan411
> >
> > I suppose that the problem is bpf interpretation via the command-line?
> >
> > Gtz
> >
> > Geert
> >
> > On 21 May 2012 17:19, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>> wrote:
> >
> > On 05/21/2012 05:14 PM, Geert Alberghs wrote:
> > > Hi Victor,
> > >
> > > Thanks for your quick reply. I tried: suricata -c
> > > /etc/suricata/suricata.yaml -S /dev/null -i bond0 -i vlan411
> "not
> > vlan"
> > >
> > > It produces the following error in suricata.log:
> > >
> > > 21/5/2012 -- 17:07:32 - <Error> - [ERRCODE: SC_ERR_BPF(125)]
> - bpf
> > > compilation error illegal token: ���
> > > 21/5/2012 -- 17:07:32 - <Error> - [ERRCODE:
> SC_ERR_THREAD_INIT(49)] -
> > > thread "RecvPcap-bond0" closed on initialization.
> > > 21/5/2012 -- 17:07:32 - <Error> - [ERRCODE:
> > SC_ERR_INITIALIZATION(45)] -
> > > Engine initialization failed, aborting...
> >
> > You can enter the bpf filter also in the yaml file for each
> interface,
> > could you give that a try?
> >
> > pcap:
> > - interface: bond0
> > bpf-filter: "not vlan"
> > - interface: vlan411
> > bpf-filter: "not vlan"
> >
> > Cheers,
> > Victor
> >
> > > gdb gives the same error messages.
> > >
> > > 21/5/2012 -- 17:12:36 - <Error> - [ERRCODE:
> SC_ERR_THREAD_INIT(49)] -
> > > thread "RecvPcap-vlan41" closed on initialization.
> > > 21/5/2012 -- 17:12:36 - <Error> - [ERRCODE:
> > SC_ERR_INITIALIZATION(45)] -
> > > Engine initialization failed, aborting...
> > > [Thread 0x7fffec34d700 (LWP 18314) exited]
> > > [Thread 0x7fffe9347700 (LWP 18320) exited]
> > > [Thread 0x7fffe9b48700 (LWP 18319) exited]
> > > [Thread 0x7fffea349700 (LWP 18318) exited]
> > > [Thread 0x7fffe8b46700 (LWP 18321) exited]
> > > [Thread 0x7fffeab4a700 (LWP 18317) exited]
> > > [Thread 0x7fffeb34b700 (LWP 18316) exited]
> > > [Thread 0x7fffebb4c700 (LWP 18315) exited]
> > > [Thread 0x7fffecb4e700 (LWP 18313) exited]
> > > [Thread 0x7fffed34f700 (LWP 18312) exited]
> > > [Thread 0x7fffedb50700 (LWP 18311) exited]
> > > [Thread 0x7fffee351700 (LWP 18310) exited]
> > > [Thread 0x7fffeed68700 (LWP 18309) exited]
> > > [Thread 0x7fffef569700 (LWP 18308) exited]
> > > [Thread 0x7fffefd6a700 (LWP 18307) exited]
> > > [Thread 0x7ffff48d4700 (LWP 18306) exited]
> > > [Thread 0x7ffff536a700 (LWP 18305) exited]
> > > [Thread 0x7ffff636c700 (LWP 18303) exited]
> > > [Thread 0x7fffe8345700 (LWP 18322) exited]
> > >
> > > Gtz
> > >
> > > Geert
> > >
> > > On 21 May 2012 16:59, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>> wrote:
> > >
> > > On 05/21/2012 04:50 PM, Geert Alberghs wrote:
> > > > Hello,
> > > >
> > > > when using the following command to launch suricata:
> > > >
> > > > *exec suricata -D --pidfile /var/run/suricata.pid -c
> > > > /etc/suricata/suricata.yaml -i bond0 -i vlan411 "not
> vlan"*
> > > >
> > > > Suricata starts normally, analyses the rules, loads them
> > etc. But
> > > a few
> > > > moments after this the process stops without any
> notification in
> > > > suricata.log.
> > > >
> > > > When the same command is launched but without the vlan
> > interfaces,
> > > > everything works fine. Is there a multi-interfaces problem
> > or a vlan
> > > > untagging problem, I don't know.
> > > >
> > > > The reason why the vlan's are used is because of mirroring
> > limitations
> > > > in a particular switch: all incoming traffic on the mirror
> > port is in
> > > > the default vlan, all outgoing in vlan 411.
> > > >
> > > > gdb output for *suricata -c /etc/suricata/suricata.yaml -i
> > bond0 -i
> > > > vlan411 "not vlan"*:
> > > >
> > > > 21/5/2012 -- 15:54:48 - <Info> - 15 rule files processed.
> > 41435 rules
> > > > succesfully loaded, 0 rules failed
> > > > 21/5/2012 -- 15:56:45 - <Info> - 42631 signatures
> processed.
> > 1809 are
> > > > IP-only rules, 37788 are inspecting packet payload, 13120
> > inspect
> > > > application layer, 0 are decoder event only
> > > > 21/5/2012 -- 15:56:45 - <Info> - building signature
> grouping
> > > structure,
> > > > stage 1: adding signatures to signature source
> addresses...
> > complete
> > > > 21/5/2012 -- 15:56:50 - <Info> - building signature
> grouping
> > > structure,
> > > > stage 2: building source address list... complete
> > > > 21/5/2012 -- 15:56:55 - <Info> - building signature
> grouping
> > > structure,
> > > > stage 3: building destination address lists... complete
> > > > 21/5/2012 -- 15:57:10 - <Info> - Threshold config
> parsed: 5
> > > rule(s) found
> > > > 21/5/2012 -- 15:57:10 - <Info> - Core dump size set to
> > unlimited.
> > > > 21/5/2012 -- 15:57:10 - <Info> - fast output device
> (regular)
> > > > initialized: fast.log
> > > > 21/5/2012 -- 15:57:10 - <Info> - Unified2-alert
> initialized:
> > filename
> > > > unified2.alert, limit 32 MB
> > > > 21/5/2012 -- 15:57:10 - <Info> - http-log output device
> > (regular)
> > > > initialized: http.log
> > > > 21/5/2012 -- 15:57:10 - <Info> - Using 2 live device(s).
> > > > 21/5/2012 -- 15:57:10 - <Info> - BPF filter set from
> command
> > line
> > > or via
> > > > old 'bpf-filter' option.
> > > > [New Thread 0x7ffff636c700 (LWP 9636)]
> > > > 21/5/2012 -- 15:57:10 - <Info> - BPF filter set from
> command
> > line
> > > or via
> > > > old 'bpf-filter' option.
> > > > 21/5/2012 -- 15:57:10 - <Info> - using interface bond0
> > > > 21/5/2012 -- 15:57:10 - <Info> - Running in 'auto'
> checksum
> > mode.
> > > > Detection of interface state will require 1000 packets.
> > > > [New Thread 0x7ffff5b6b700 (LWP 9637)]
> > > > 21/5/2012 -- 15:57:10 - <Info> - using interface vlan411
> > > > 21/5/2012 -- 15:57:10 - <Info> - Running in 'auto'
> checksum
> > mode.
> > > > Detection of interface state will require 1000 packets.
> > > > [New Thread 0x7ffff536a700 (LWP 9638)]
> > > > [New Thread 0x7ffff4b69700 (LWP 9640)]
> > > >
> > > > Program received signal SIGSEGV, Segmentation fault.
> > > > [Switching to Thread 0x7ffff4b69700 (LWP 9640)]
> > > > 0x00007ffff69c06da in ?? () from
> /lib/x86_64-linux-gnu/libc.so.6
> > > > (gdb) btµ
> > > > Invalid character '�' in expression.
> > > > (gdb) bt
> > > > #0 0x00007ffff69c06da in ?? () from
> > /lib/x86_64-linux-gnu/libc.so.6
> > > > #1 0x00007ffff69c1f72 in ?? () from
> > /lib/x86_64-linux-gnu/libc.so.6
> > > > #2 0x00007ffff69c4e1e in malloc () from
> > > /lib/x86_64-linux-gnu/libc.so.6
> > > > #3 0x00000000004fd054 in PmqSetup ()
> > > > #4 0x00000000004402e8 in DetectEngineThreadCtxInit ()
> > > > #5 0x0000000000435b17 in DetectThreadInit ()
> > > > #6 0x000000000056d1ed in TmThreadsSlot1 ()
> > > > #7 0x00007ffff713fd8c in start_thread () from
> > > > /lib/x86_64-linux-gnu/libpthread.so.0
> > > > #8 0x00007ffff6a2ec2d in clone () from
> > > /lib/x86_64-linux-gnu/libc.so.6
> > > > #9 0x0000000000000000 in ?? ()
> > > >
> > > > Any idea where the problem might reside?
> > >
> > > The segv is in the per detection thread set up code. It
> may be
> > related
> > > to the high number of rules you run. Could you try running
> > without rules
> > > just to test?
> > >
> > > suricata -c /etc/suricata/suricata.yaml -S /dev/null -i
> bond0
> > -i vlan411
> > > "not vlan
> > >
> > > -S overrides the rule files from the yaml, in this case
> it loads
> > > dev/null which means it loads no rules.
> > >
> > > --
> > > ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP: http://www.inliniac.net/victorjulien.asc
> > > ---------------------------------------------
> > >
> > > _______________________________________________
> > > Oisf-users mailing list
> > > Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>>
> > >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list