[Oisf-users] Suricata 2.1beta2 and pf_ring ZC
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Jan 20 17:11:56 UTC 2015
Awesome, now it works and I know why :-)
Thanks a lot.
On Tue, Jan 20, 2015 at 5:51 PM, Giuseppe Longo <longo at ntop.org> wrote:
> Hi,
> open the load_driver.sh script and make this change:
>
> #insmod ./igb.ko RSS=1,1,1,1,1,1,1,1
> insmod ./igb.ko RSS=0,0,0,0,0,0,0,0
>
> Cheers,
> Giuseppe
>
> 2015-01-20 17:29 GMT+01:00 Michał Purzyński <michalpurzynski1 at gmail.com>:
>> Hello. Today we are going to configure Suricata (and Bro) sharing the
>> same pf_ring ZC interface.
>>
>> Well, almost, because I've followed my logic and something does not
>> work. I'm trying just Suricata so far, to avoid complications. Here's
>> what I did.
>>
>> 1. Installed pf_ring (newest) libraries, patched pcap, etc.
>> 2. Installed the pf_ring kernel module
>> 3. Installed the ixgbe modified driver and loaded using
>> "load_driver.sh" without any modifications inside. I used the "-zc"
>> driver version.
>> 4. Configured pf_ring in Suricata as follows:
>>
>> pfring:
>> - interface: zc:eth5 at 0
>> threads: 1
>> - interface: zc:eth5 at 1
>> threads: 1
>> - interface: zc:eth5 at 2
>> threads: 1
>> - interface: zc:eth5 at 3
>> threads: 1
>> - interface: zc:eth5 at 4
>> threads: 1
>> - interface: zc:eth5 at 5
>> threads: 1
>>
>> And all I've got was a stream of errors
>>
>> [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open zc:eth5 at 1:
>> pfring_open error. Check if zc:eth5 at 1 exists and pf_ring module is
>> loaded.
>>
>> What am I doing wrong?
>>
>> Full output follows
>>
>> 20/1/2015 -- 07:58:17 - <Notice> - This is Suricata version 2.1beta2 RELEASE
>> 20/1/2015 -- 07:58:17 - <Info> - CPUs/cores online: 24
>> 20/1/2015 -- 07:58:17 - <Info> - Live rule reloads enabled
>> 20/1/2015 -- 07:58:17 - <Info> - 'default' server has
>> 'request-body-minimal-inspect-size' set to 33882 and
>> 'request-body-inspect-window' set to 4053 after randomization.
>> 20/1/2015 -- 07:58:17 - <Info> - 'default' server has
>> 'response-body-minimal-inspect-size' set to 33695 and
>> 'response-body-inspect-window' set to 4218 after randomization.
>> 20/1/2015 -- 07:58:17 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(239)]
>> - no DNS UDP config found, enabling DNS detection on port 53.
>> 20/1/2015 -- 07:58:17 - <Info> - DNS request flood protection level: 500
>> 20/1/2015 -- 07:58:17 - <Info> - DNS per flow memcap (state-memcap): 524288
>> 20/1/2015 -- 07:58:17 - <Info> - DNS global memcap: 16777216
>> 20/1/2015 -- 07:58:17 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(239)]
>> - no DNS TCP config found, enabling DNS detection on port 53.
>> 20/1/2015 -- 07:58:17 - <Info> - No 'host-mode': suricata is in IDS
>> mode, using default setting 'sniffer-only'
>> 20/1/2015 -- 07:58:17 - <Info> - allocated 3669960 bytes of memory for
>> the defrag hash... 65535 buckets of size 56
>> 20/1/2015 -- 07:58:18 - <Info> - preallocated 262144 defrag trackers of size 168
>> 20/1/2015 -- 07:58:18 - <Info> - defrag memory usage: 47710152 bytes,
>> maximum: 536870912
>> 20/1/2015 -- 07:58:18 - <Info> - AutoFP mode using default "Active
>> Packets" flow load balancer
>> 20/1/2015 -- 07:58:18 - <Info> - allocated 1073741824 bytes of memory
>> for the host hash... 16777216 buckets of size 64
>> 20/1/2015 -- 07:58:21 - <Info> - preallocated 16777216 hosts of size 112
>> 20/1/2015 -- 07:58:21 - <Info> - host memory usage: 3221225472 bytes,
>> maximum: 2147483648000
>> 20/1/2015 -- 07:58:21 - <Info> - allocated 1006632960 bytes of memory
>> for the flow hash... 15728640 buckets of size 64
>> 20/1/2015 -- 07:58:24 - <Info> - preallocated 8000000 flows of size 320
>> 20/1/2015 -- 07:58:24 - <Info> - flow memory usage: 3630632960 bytes,
>> maximum: 4294967296
>> 20/1/2015 -- 07:58:24 - <Info> - Loading reputation file:
>> /etc/nsm/nsm11-eth4/iprepdata.txt
>> 20/1/2015 -- 07:58:24 - <Info> - host memory usage: 3221225472 bytes,
>> maximum: 2147483648000
>> 20/1/2015 -- 07:58:24 - <Info> - using magic-file /usr/share/file/magic
>> 20/1/2015 -- 07:58:24 - <Info> - Delayed detect disabled
>> 20/1/2015 -- 07:58:27 - <Info> - 2 rule files processed. 11559 rules
>> successfully loaded, 0 rules failed
>> 20/1/2015 -- 07:58:27 - <Info> - 11559 signatures processed. 27 are
>> IP-only rules, 4183 are inspecting packet payload, 9319 inspect
>> application layer, 0 are decoder event only
>> 20/1/2015 -- 07:58:27 - <Info> - building signature grouping
>> structure, stage 1: preprocessing rules... complete
>> 20/1/2015 -- 07:58:27 - <Info> - building signature grouping
>> structure, stage 2: building source address list... complete
>> 20/1/2015 -- 07:58:43 - <Info> - building signature grouping
>> structure, stage 3: building destination address lists... complete
>> 20/1/2015 -- 07:58:47 - <Info> - Threshold config parsed: 0 rule(s) found
>> 20/1/2015 -- 07:58:47 - <Info> - Core dump size set to unlimited.
>> 20/1/2015 -- 07:58:47 - <Info> - eve-log output device (regular)
>> initialized: eve.json
>> 20/1/2015 -- 07:58:47 - <Info> - returning output_ctx 0x1374e8560
>> 20/1/2015 -- 07:58:47 - <Info> - enabling 'eve-log' module 'alert'
>> 20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 0 from config file
>> 20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 1 from config file
>> 20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 2 from config file
>> 20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 3 from config file
>> 20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 4 from config file
>> 20/1/2015 -- 07:58:47 - <Info> - Adding interface zc:eth5 at 5 from config file
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for
>> "management-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Using default prio 'low'
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "receive-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "decode-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "stream-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "detect-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Using default prio 'high'
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "verdict-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Using default prio 'high'
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "reject-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Using default prio 'low'
>> 20/1/2015 -- 07:58:47 - <Info> - Found affinity definition for "output-cpu-set"
>> 20/1/2015 -- 07:58:47 - <Info> - Using default prio 'medium'
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster-id for PF_RING (iface zc:eth5 at 0)
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster type for PF_RING (iface zc:eth5 at 0)
>> 20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
>> 20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 1
>> 20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 01"
>> Module to cpu/core 1, thread id 17092
>> 20/1/2015 -- 07:58:47 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not adding
>> thread to cluster
>> 20/1/2015 -- 07:58:47 - <Info> - (RxPFRzc:eth5 at 01) Using PF_RING
>> v.6.0.3, interface zc:eth5 at 0, cluster-id 1, single-pfring-thread
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster-id for PF_RING (iface zc:eth5 at 1)
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster type for PF_RING (iface zc:eth5 at 1)
>> 20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
>> 20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 2
>> 20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 11"
>> Module to cpu/core 2, thread id 17093
>> 20/1/2015 -- 07:58:47 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:47 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> Failed to open zc:eth5 at 1: pfring_open error. Check if zc:eth5 at 1 exists
>> and pf_ring module is loaded.
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster-id for PF_RING (iface zc:eth5 at 2)
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster type for PF_RING (iface zc:eth5 at 2)
>> 20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
>> 20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 3
>> 20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 21"
>> Module to cpu/core 3, thread id 17094
>> 20/1/2015 -- 07:58:47 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:47 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> Failed to open zc:eth5 at 2: pfring_open error. Check if zc:eth5 at 2 exists
>> and pf_ring module is loaded.
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster-id for PF_RING (iface zc:eth5 at 3)
>> 20/1/2015 -- 07:58:47 - <Info> - ZC interface detected, not setting
>> cluster type for PF_RING (iface zc:eth5 at 3)
>> 20/1/2015 -- 07:58:47 - <Info> - Going to use 1 thread(s)
>> 20/1/2015 -- 07:58:47 - <Info> - Setting affinity on CPU 4
>> 20/1/2015 -- 07:58:47 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 31"
>> Module to cpu/core 4, thread id 17095
>> 20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:48 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> Failed to open zc:eth5 at 3: pfring_open error. Check if zc:eth5 at 3 exists
>> and pf_ring module is loaded.
>> 20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
>> cluster-id for PF_RING (iface zc:eth5 at 4)
>> 20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
>> cluster type for PF_RING (iface zc:eth5 at 4)
>> 20/1/2015 -- 07:58:48 - <Info> - Going to use 1 thread(s)
>> 20/1/2015 -- 07:58:48 - <Info> - Setting affinity on CPU 5
>> 20/1/2015 -- 07:58:48 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 41"
>> Module to cpu/core 5, thread id 17096
>> 20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:48 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> Failed to open zc:eth5 at 4: pfring_open error. Check if zc:eth5 at 4 exists
>> and pf_ring module is loaded.
>> 20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
>> cluster-id for PF_RING (iface zc:eth5 at 5)
>> 20/1/2015 -- 07:58:48 - <Info> - ZC interface detected, not setting
>> cluster type for PF_RING (iface zc:eth5 at 5)
>> 20/1/2015 -- 07:58:48 - <Info> - Going to use 1 thread(s)
>> 20/1/2015 -- 07:58:48 - <Info> - Setting affinity on CPU 6
>> 20/1/2015 -- 07:58:48 - <Info> - Setting prio -2 for "RxPFRzc:eth5 at 51"
>> Module to cpu/core 6, thread id 17097
>> 20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:48 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] -
>> Failed to open zc:eth5 at 5: pfring_open error. Check if zc:eth5 at 5 exists
>> and pf_ring module is loaded.
>> 20/1/2015 -- 07:58:48 - <Info> - RunModeIdsPfringWorkers initialised
>> 20/1/2015 -- 07:58:48 - <Info> - using 1 flow manager threads
>> 20/1/2015 -- 07:58:48 - <Info> - Setting prio 2 for
>> "FlowManagerThread" thread , thread id 17098
>> 20/1/2015 -- 07:58:48 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:48 - <Info> - using 1 flow recycler threads
>> 20/1/2015 -- 07:58:48 - <Info> - Setting prio 2 for
>> "FlowRecyclerThread" thread , thread id 17099
>> 20/1/2015 -- 07:58:48 - <Info> - stream "prealloc-sessions": 10000000
>> (per thread)
>> 20/1/2015 -- 07:58:48 - <Info> - stream "memcap": 6442450944
>> 20/1/2015 -- 07:58:48 - <Info> - stream "midstream" session pickups: disabled
>> 20/1/2015 -- 07:58:48 - <Info> - stream "async-oneside": disabled
>> 20/1/2015 -- 07:58:48 - <Info> - stream "checksum-validation": disabled
>> 20/1/2015 -- 07:58:48 - <Info> - stream."inline": disabled
>> 20/1/2015 -- 07:58:48 - <Info> - stream "max-synack-queued": 5
>> 20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "memcap": 7516192768
>> 20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "depth": 12582912
>> 20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "toserver-chunk-size": 2644
>> 20/1/2015 -- 07:58:48 - <Info> - stream.reassembly "toclient-chunk-size": 2464
>> 20/1/2015 -- 07:58:48 - <Info> - stream.reassembly.raw: enabled
>> 20/1/2015 -- 07:58:48 - <Info> - segment pool: pktsize 16, prealloc 524288
>> 20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 112, prealloc 1048576
>> 20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 256, prealloc 262144
>> 20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 512, prealloc 262144
>> 20/1/2015 -- 07:58:49 - <Info> - segment pool: pktsize 768, prealloc 262144
>> 20/1/2015 -- 07:58:50 - <Info> - segment pool: pktsize 1448, prealloc 1048576
>> 20/1/2015 -- 07:58:50 - <Info> - segment pool: pktsize 65535, prealloc 512
>> 20/1/2015 -- 07:58:50 - <Info> - stream.reassembly "chunk-prealloc": 250
>> 20/1/2015 -- 07:58:50 - <Info> - Setting prio 2 for
>> "SCPerfWakeupThread" thread , thread id 17100
>> 20/1/2015 -- 07:58:50 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:50 - <Info> - Setting prio 2 for "SCPerfMgmtThread"
>> thread , thread id 17101
>> 20/1/2015 -- 07:58:50 - <Info> - preallocated 60000 packets. Total
>> memory 209880000
>> 20/1/2015 -- 07:58:50 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
>> thread "RxPFRzc:eth5 at 11" closed on initialization.
>> 20/1/2015 -- 07:58:50 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)]
>> - Engine initialization failed, aborting...
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list