[Oisf-users] Suricata 2.1beta2 and pf_ring ZC

Michał Purzyński michalpurzynski1 at gmail.com
Tue Jan 20 16:29:25 UTC 2015 

Hello. Today we are going to configure Suricata (and Bro) sharing the
same pf_ring ZC interface.

Well, almost, because I've followed my logic and something does not
work. I'm trying just Suricata so far, to avoid complications. Here's
what I did.

1. Installed pf_ring (newest) libraries, patched pcap, etc.
2. Installed the pf_ring kernel module
3. Installed the ixgbe modified driver and loaded using
"load_driver.sh" without any modifications inside. I used the "-zc"
driver version.
4. Configured pf_ring in Suricata as follows:

pfring:
  - interface: zc:eth5 at 0
    threads: 1
  - interface: zc:eth5 at 1
    threads: 1
  - interface: zc:eth5 at 2
    threads: 1
  - interface: zc:eth5 at 3
    threads: 1
  - interface: zc:eth5 at 4
    threads: 1
  - interface: zc:eth5 at 5
    threads: 1

And all I've got was a stream of errors

[ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open zc:eth5 at 1:
pfring_open error. Check if zc:eth5 at 1 exists and pf_ring module is
loaded.

What am I doing wrong?

Full output follows

20/1/2015 -- 07:58:17 - <Notice> - This is Suricata version 2.1beta2 RELEASE
20/1/2015 -- 07:58:17 - <Info> - CPUs/cores online: 24
20/1/2015 -- 07:58:17 - <Info> - Live rule reloads enabled
20/1/2015 -- 07:58:17 - <Info> - 'default' server has
'request-body-minimal-inspect-size' set to 33882 and
'request-body-inspect-window' set to 4053 after randomization.
20/1/2015 -- 07:58:17 - <Info> - 'default' server has
'response-body-minimal-inspect-size' set to 33695 and
'response-body-inspect-window' set to 4218 after randomization.
20/1/2015 -- 07:58:17 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(239)]
- no DNS UDP config found, enabling DNS detection on port 53.
20/1/2015 -- 07:58:17 - <Info> - DNS request flood protection level: 500
20/1/2015 -- 07:58:17 - <Info> - DNS per flow memcap (state-memcap): 524288
20/1/2015 -- 07:58:17 - <Info> - DNS global memcap: 16777216
20/1/2015 -- 07:58:17 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(239)]
- no DNS TCP config found, enabling DNS detection on port 53.
20/1/2015 -- 07:58:17 - <Info> - No 'host-mode': suricata is in IDS
mode, using default setting 'sniffer-only'
20/1/2015 -- 07:58:17 - <Info> - allocated 3669960 bytes of memory for
the defrag hash... 65535 buckets of size 56
20/1/2015 -- 07:58:18 - <Info> - preallocated 262144 defrag trackers of size 168
20/1/2015 -- 07:58:18 - <Info> - defrag memory usage: 47710152 bytes,
maximum: 536870912
20/1/2015 -- 07:58:18 - <Info> - AutoFP mode using default "Active
Packets" flow load balancer
20/1/2015 -- 07:58:18 - <Info> - allocated 1073741824 bytes of memory
for the host hash... 16777216 buckets of size 64
20/1/2015 -- 07:58:21 - <Info> - preallocated 16777216 hosts of size 112
20/1/2015 -- 07:58:21 - <Info> - host memory usage: 3221225472 bytes,
maximum: 2147483648000
20/1/2015 -- 07:58:21 - <Info> - allocated 1006632960 bytes of memory
for the flow hash... 15728640 buckets of size 64
20/1/2015 -- 07:58:24 - <Info> - preallocated 8000000 flows of size 320
20/1/2015 -- 07:58:24 - <Info> - flow memory usage: 3630632960 bytes,
maximum: 4294967296
20/1/2015 -- 07:58:24 - <Info> - Loading reputation file:
/etc/nsm/nsm11-eth4/iprepdata.txt
20/1/2015 -- 07:58:24 - <Info> - host memory usage: 3221225472 bytes,
maximum: 2147483648000
20/1/2015 -- 07:58:24 - <Info> - using magic-file /usr/share/file/magic
20/1/2015 -- 07:58:24 - <Info> - Delayed detect disabled
20/1/2015 -- 07:58:27 - <Info> - 2 rule files processed. 11559 rules
successfully loaded, 0 rules failed
20/1/2015 -- 07:58:27 - <Info> - 11559 signatures processed. 27 are
IP-only rules, 4183 are inspecting packet payload, 9319 inspect
application layer, 0 are decoder event only
20/1/2015 -- 07:58:27 - <Info> - building signature grouping
structure, stage 1: preprocessing rules... complete
20/1/2015 -- 07:58:27 - <Info> - building signature grouping
structure, stage 2: building source address list... complete
20/1/2015 -- 07:58:43 - <Info> - building signature grouping
structure, stage 3: building destination address lists... complete
20/1/2015 -- 07:58:47 - <Info> - Threshold config parsed: 0 rule(s) found
20/1/2015 -- 07:58:47 - <Info> - Core dump size set to unlimited.
20/1/2015 -- 07:58:47 - <Info> - eve-log output device (regular)
initialized: eve.json
20/1/2015 -- 07:58:47 - <Info> - returning output_ctx 0x1374e8560
20/1/2015 -- 07:58:47 - <Info> - enabling 'eve-log' module 'alert'
20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 0 from config file
20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 1 from config file
20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 2 from config file
20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 3 from config file
20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 4 from config file
20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 5 from config file
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for
"management-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Using default prio 'low'
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "receive-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "decode-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "stream-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "detect-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Using default prio 'high'
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "verdict-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Using default prio 'high'
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "reject-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Using default prio 'low'
20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "output-cpu-set"
20/1/2015 -- 07:58:47 - <Info> - Using default prio 'medium'
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster-id for PF_RING (iface zc:eth5 at 0)
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster type for PF_RING (iface zc:eth5 at 0)
20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 1
20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 01"
Module to cpu/core 1, thread id 17092
20/1/2015 -- 07:58:47 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not adding
thread to cluster
20/1/2015 -- 07:58:47 - <Info> - (RxPFRzc:eth5 at 01) Using PF_RING
v.6.0.3, interface zc:eth5 at 0, cluster-id 1, single-pfring-thread
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster-id for PF_RING (iface zc:eth5 at 1)
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster type for PF_RING (iface zc:eth5 at 1)
20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 2
20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 11"
Module to cpu/core 2, thread id 17093
20/1/2015 -- 07:58:47 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:47 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
Failed to open zc:eth5 at 1: pfring_open error. Check if zc:eth5 at 1 exists
and pf_ring module is loaded.
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster-id for PF_RING (iface zc:eth5 at 2)
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster type for PF_RING (iface zc:eth5 at 2)
20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 3
20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 21"
Module to cpu/core 3, thread id 17094
20/1/2015 -- 07:58:47 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:47 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
Failed to open zc:eth5 at 2: pfring_open error. Check if zc:eth5 at 2 exists
and pf_ring module is loaded.
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster-id for PF_RING (iface zc:eth5 at 3)
20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
cluster type for PF_RING (iface zc:eth5 at 3)
20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 4
20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 31"
Module to cpu/core 4, thread id 17095
20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:48 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
Failed to open zc:eth5 at 3: pfring_open error. Check if zc:eth5 at 3 exists
and pf_ring module is loaded.
20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
cluster-id for PF_RING (iface zc:eth5 at 4)
20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
cluster type for PF_RING (iface zc:eth5 at 4)
20/1/2015 -- 07:58:48 - <Info> - Going to use 1 thread(s)
20/1/2015 -- 07:58:48 - <Info> - Setting affinity on CPU 5
20/1/2015 -- 07:58:48 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 41"
Module to cpu/core 5, thread id 17096
20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:48 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
Failed to open zc:eth5 at 4: pfring_open error. Check if zc:eth5 at 4 exists
and pf_ring module is loaded.
20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
cluster-id for PF_RING (iface zc:eth5 at 5)
20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
cluster type for PF_RING (iface zc:eth5 at 5)
20/1/2015 -- 07:58:48 - <Info> - Going to use 1 thread(s)
20/1/2015 -- 07:58:48 - <Info> - Setting affinity on CPU 6
20/1/2015 -- 07:58:48 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 51"
Module to cpu/core 6, thread id 17097
20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:48 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
Failed to open zc:eth5 at 5: pfring_open error. Check if zc:eth5 at 5 exists
and pf_ring module is loaded.
20/1/2015 -- 07:58:48 - <Info> - RunModeIdsPfringWorkers initialised
20/1/2015 -- 07:58:48 - <Info> - using 1 flow manager threads
20/1/2015 -- 07:58:48 - <Info> - Setting prio 2 for
"FlowManagerThread" thread , thread id 17098
20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:48 - <Info> - using 1 flow recycler threads
20/1/2015 -- 07:58:48 - <Info> - Setting prio 2 for
"FlowRecyclerThread" thread , thread id 17099
20/1/2015 -- 07:58:48 - <Info> - stream "prealloc-sessions": 10000000
(per thread)
20/1/2015 -- 07:58:48 - <Info> - stream "memcap": 6442450944
20/1/2015 -- 07:58:48 - <Info> - stream "midstream" session pickups: disabled
20/1/2015 -- 07:58:48 - <Info> - stream "async-oneside": disabled
20/1/2015 -- 07:58:48 - <Info> - stream "checksum-validation": disabled
20/1/2015 -- 07:58:48 - <Info> - stream."inline": disabled
20/1/2015 -- 07:58:48 - <Info> - stream "max-synack-queued": 5
20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "memcap": 7516192768
20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "depth": 12582912
20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "toserver-chunk-size": 2644
20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "toclient-chunk-size": 2464
20/1/2015 -- 07:58:48 - <Info> - stream.reassembly.raw: enabled
20/1/2015 -- 07:58:48 - <Info> - segment pool: pktsize 16, prealloc 524288
20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 112, prealloc 1048576
20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 256, prealloc 262144
20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 512, prealloc 262144
20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 768, prealloc 262144
20/1/2015 -- 07:58:50 - <Info> - segment pool: pktsize 1448, prealloc 1048576
20/1/2015 -- 07:58:50 - <Info> - segment pool: pktsize 65535, prealloc 512
20/1/2015 -- 07:58:50 - <Info> - stream.reassembly "chunk-prealloc": 250
20/1/2015 -- 07:58:50 - <Info> - Setting prio 2 for
"SCPerfWakeupThread" thread , thread id 17100
20/1/2015 -- 07:58:50 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:50 - <Info> - Setting prio 2 for "SCPerfMgmtThread"
thread , thread id 17101
20/1/2015 -- 07:58:50 - <Info> - preallocated 60000 packets. Total
memory 209880000
20/1/2015 -- 07:58:50 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
thread "RxPFRzc:eth5 at 11" closed on initialization.
20/1/2015 -- 07:58:50 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)]
- Engine initialization failed, aborting...

More information about the Oisf-users mailing list