[Oisf-users] suricata does not start in a script

Andreas Moe moe.andreas at gmail.com
Tue May 5 07:34:53 UTC 2015 

The first problem i would address is "4/5/2015 -- 16:27:03 - <Error> -
[ERRCODE: SC_ERR_BPF(127)] - bpf
compilation error syntax error" seems like this is hindering suricata from
start. What is your BPF filter?


2015-05-05 1:40 GMT+02:00 James Moe <jimoe at sohnen-moe.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> suricata 2.0.7
> linux 3.16.7-21-desktop x86_64
>
>   I created a shell script to start and stop suricata.
>   The stop function works fine.
>   Starting, however, does not. And I do not see what the difference is.
>
> - ----[ command ]----
> /usr/local/bin/suricata -v --pidfile /usr/local/var/run/suricata.pid -c
> /usr/local/etc/suricata/suricata.yaml -i eth0 | tee
> /usr/local/var/log/suricata/verbose.log &
> - ----[ end ]----
>
> - ----[ started from script ]----
> 4/5/2015 -- 16:27:03 - <Info> - Found an MTU of 1500 for 'eth0'
> 4/5/2015 -- 16:27:03 - <Info> - Set snaplen to 1516 for 'eth0'
>
> 4/5/2015 -- 16:27:03 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf
> compilation error syntax error
> 4/5/2015 -- 16:27:03 - <Info> - RunModeIdsPcapAutoFp initialised
> 4/5/2015 -- 16:27:03 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
> thread "RxPcapeth01" closed on initialization.
> 4/5/2015 -- 16:27:03 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
> Engine initialization failed, aborting...
> - ----[ end ]----
>
>
> - ----[ started from command line ]----
> 4/5/2015 -- 16:30:03 - <Info> - Found an MTU of 1500 for 'eth0'
> 4/5/2015 -- 16:30:03 - <Info> - Set snaplen to 1516 for 'eth0'
>
> 4/5/2015 -- 16:30:03 - <Info> - Generic Receive Offload is unset on eth0
> 4/5/2015 -- 16:30:03 - <Info> - Large Receive Offload is unset on eth0
> 4/5/2015 -- 16:30:03 - <Info> - RunModeIdsPcapAutoFp initialised
> 4/5/2015 -- 16:30:03 - <Notice> - all 7 packet processing threads, 3
> management threads initialized, engine started.
> - ----[ end ]----
>
> - ----[ script ]----
> SURI="/usr/local/bin/suricata";
> LOG="/usr/local/var/log/suricata";
> PID="/usr/local/var/run/suricata.pid";
>
> OPT1="-c /usr/local/etc/suricata/suricata.yaml";
> OPT2="--pidfile /usr/local/var/run/suricata.pid";
> OPT3="-v"
>
> case $1 in
>     stop)
>         CMD="No PID found";
>         if [ -f ${PID} ]
>         then
>             CMD="/usr/bin/kill $(cat ${PID})"
>             ${CMD}
>         fi
>         ;;
>
>     start) CMD="${SURI} ${OPT3} ${OPT2} ${OPT1} -i eth0 | tee
> ${LOG}/verbose.log &"
>         ethtool -K eth0 gro off
>         # ethtool -K eth0 lro on
>         echo ${CMD}
>         ${CMD}
>         ;;
>
>     *) CMD='echo "Usage: suricata-ctl.sh {start |  stop}"';;
> esac
>
> echo ${CMD}
> exit 0;
> - ----[ end ]----
>
>
>
> - --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlVIA20ACgkQzTcr8Prq0ZNGRQCglhtuGEmO4xWP5jGGcGKLczwV
> eb0AoINojJXZFlowX4lGrm/Av5ZrnpeQ
> =2cZO
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150505/bcb00647/attachment-0002.html>

More information about the Oisf-users mailing list