[Oisf-users] suricata freezes if no or little traffic is present on monitored interface

Yasha Zislin coolyasha at hotmail.com
Thu Dec 24 14:37:01 UTC 2015


I've tried newer version of PFRING. 6.2 and 6.3 No luck. Here is an interesting note in the 6.2 release notes:PF_RING-aware LibpcapFixed pcap_brekloop (tcpdump now handles sigterm correctly when there is no traffic)
Is this what you were talking about?
So this sensor does get some broadcast traffic. My other sensors that have similar amount of traffic on monitored interfaces dont get stuck.
On this one, I get errors when trying to stop it right after starting it. Suricata reports:<Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "RxPFReth22".  Killing engine

I've enabled debugging in PF_RING and nothing shows until that message appears above.
When I try to reload rules, it starts the rebuild of grouping structure but never gives "rules reload complete" message. 
I understand your suggestion to switch to another capture method but it seems that this should work with small amount of packets on monitored interface as it does on other sensors.
BTW, I've tried Suricata-3.0 with no luck.
Thank you for your help.
> Subject: Re: [Oisf-users] suricata freezes if no or little traffic is present on monitored interface
> From: eric at regit.org
> To: coolyasha at hotmail.com; andi at geekosphere.org; oisf-users at lists.openinfosecfoundation.org
> Date: Mon, 14 Dec 2015 17:26:05 +0100
> 
> Hi,
> 
> On Mon, 2015-12-14 at 16:17 +0000, Yasha Zislin wrote:
> > I am going to give a shot to newer version of PF_RING and if it
> > doesnt fix it, I will test Suricata 3.0RC2
> 
> No need to test suricata 3.0rc2 it won't fix the issue. You better
> switch to another capture method.
> 
> ++
> 
> > 
> > Thanks.
> > 
> > > Date: Mon, 14 Dec 2015 16:34:14 +0100
> > > From: andi at geekosphere.org
> > > To: oisf-users at lists.openinfosecfoundation.org
> > > Subject: Re: [Oisf-users] suricata freezes if no or little traffic
> > is present on monitored interface
> > > 
> > > On 14/12/15 at 15:30, Yasha Zislin wrote:
> > > > I am running CentOS 6 64 bit with suricata 2.1 beta4.I have not
> > tried
> > > > Suricata 3.0RC. I am curious to see if there is a way to fix that
> > on
> > > > my current version. Thank you. 
> > > 
> > > Could you try 3.0RC2 to see if it's solved in that version?
> > > This could save a lot of time investigating the issue if it's
> > resolved
> > > within 3.0RC2.
> > > 
> > > -- 
> > > Andreas Herz
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.o
> > rg
> > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/su
> > pport/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf
> > -users
> > > Suricata User Conference November 4 & 5 in Barcelona: http://oisfev
> > ents.net
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> > ort/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> > sers
> > Suricata User Conference November 4 & 5 in Barcelona: http://oisfeven
> > ts.net
> -- 
> Eric Leblond <eric at regit.org>
> Blog: https://home.regit.org/
> 
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151224/8ec1ce05/attachment-0002.html>


More information about the Oisf-users mailing list