[Oisf-users] Problem when testing Suricata on an ARMv7 based board
Peter Manev
petermanev at gmail.com
Tue Nov 17 22:35:00 UTC 2015
On Tue, Nov 10, 2015 at 2:34 PM, Mahdi Aichouch <foxmehdi at gmail.com> wrote:
> Hello,
>
> First of all, thank you very much for all your answers!
>
> It is difficult in my case to compile Suricata directly on the board,
> because I don't have a full fledged Linux distribution such as Debian or
> Ubuntu... installed on my board.
> Instead, I am running a para-virtualized L4Linux kernel with a minimal root
> file system (RAMdisk) built using Buildroot.
>
> So, I don't have access to a package manager to download and install all
> libraries that Suricata depends on.
> When I cross-compiled, I manually downloaded and compiled all the binaries
> of the required libraries before building Suricata.
>
> After activating the verbose option I was able to see that there was a
> missing file.
> Such as the /usr/share/file/magic.mgc, needed by functions in
> utile-magic.c.
>
> Then, after adding all missing configuration files, I was able to
> successfully run Surricata on an ARMv7 board.
>
> $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -s
> signatures -v &
>
> / # [44] 1/1/1970 -- 00:02:32 - (suricata.c:1073) <Notice> (SCPrintVersion)
> -- This is Suricata version 2.1dev (rev 86711a1)
> [44] 1/1/1970 -- 00:02:32 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) --
> CPUs/cores online: 1
> [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2255) <Info>
> (HTPConfigSetDefaultsPhase2) -- 'default' server has
> 'request-body-minimal-inspect-size' set to 33882 and
> 'request-body-inspect-window' set to 4053.
> [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2270) <Info>
> (HTPConfigSetDefaultsPhase2) -- 'default' server has
> 'response-body-minimal-inspect-size' set to 33695 and
> 'response-body-inspect-window' set to 42.
> [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:337) <Info>
> (DNSUDPConfigure) -- DNS request flood protection level: 500
> [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:349) <Info>
> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
> [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:361) <Info>
> (DNSUDPConfigure) -- DNS global memcap: 16777216
> [44] 1/1/1970 -- 00:02:32 - (app-layer-modbus.c:1457) <Info>
> (RegisterModbusParsers) -- Modbus request flood protection level: 500
> [44] 1/1/1970 -- 00:02:32 - (util-ioctl.c:100) <Info> (GetIfaceMTU) -- Found
> an MTU of 1500 for 'eth0'
> [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:209) <Info> (DefragInitConfig) --
> allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of
> size 32
> [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:234) <Info> (DefragInitConfig) --
> preallocated 65535 defrag trackers of size 120
> [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:241) <Info> (DefragInitConfig) --
> defrag memory usage: 9961352 bytes, maximum: 33554432
> [44] 1/1/1970 -- 00:02:32 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) --
> AutoFP mode using default "Active Packets" flow load balancer
> [44] 1/1/1970 -- 00:02:32 - (host.c:215) <Info> (HostInitConfig) --
> allocated 262144 bytes of memory for the host hash... 4096 buckets of size
> 64
> [44] 1/1/1970 -- 00:02:32 - (host.c:238) <Info> (HostInitConfig) --
> preallocated 1000 hosts of size 88
> [44] 1/1/1970 -- 00:02:32 - (host.c:240) <Info> (HostInitConfig) -- host
> memory usage: 350144 bytes, maximum: 16777216
> [44] 1/1/1970 -- 00:02:32 - (flow.c:441) <Info> (FlowInitConfig) --
> allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size
> 64
> [44] 1/1/1970 -- 00:02:32 - (flow.c:465) <Info> (FlowInitConfig) --
> preallocated 10000 flows of size 220
> [44] 1/1/1970 -- 00:02:32 - (flow.c:467) <Info> (FlowInitConfig) -- flow
> memory usage: 6394304 bytes, maximum: 67108864
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig)
> -- stream "prealloc-sessions": 2048 (per thread)
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:393) <Info> (StreamTcpInitConfig)
> -- stream "memcap": 33554432
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:399) <Info> (StreamTcpInitConfig)
> -- stream "midstream" session pickups: disabled
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:405) <Info> (StreamTcpInitConfig)
> -- stream "async-oneside": disabled
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:422) <Info> (StreamTcpInitConfig)
> -- stream "checksum-validation": enabled
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:444) <Info> (StreamTcpInitConfig)
> -- stream."inline": disabled
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:457) <Info> (StreamTcpInitConfig)
> -- stream "max-synack-queued": 5
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:475) <Info> (StreamTcpInitConfig)
> -- stream.reassembly "memcap": 134217728
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:493) <Info> (StreamTcpInitConfig)
> -- stream.reassembly "depth": 1048576
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:576) <Info> (StreamTcpInitConfig)
> -- stream.reassembly "toserver-chunk-size": 2549
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:578) <Info> (StreamTcpInitConfig)
> -- stream.reassembly "toclient-chunk-size": 2501
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:591) <Info> (StreamTcpInitConfig)
> -- stream.reassembly.raw: enabled
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:487) <Info>
> (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:500) <Info>
> (StreamTcpReassemblyConfig) -- stream.reassembly "zero-copy-size": 128
> [44] 1/1/1970 -- 00:02:32 - (ippair.c:211) <Info> (IPPairInitConfig) --
> allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size
> 64
> [44] 1/1/1970 -- 00:02:32 - (ippair.c:234) <Info> (IPPairInitConfig) --
> preallocated 1000 ippairs of size 96
> [44] 1/1/1970 -- 00:02:32 - (ippair.c:236) <Info> (IPPairInitConfig) --
> ippair memory usage: 358144 bytes, maximum: 16777216
> [44] 1/1/1970 -- 00:02:32 - (util-magic.c:62) <Info> (MagicInit) -- using
> magic-file /usr/share/file/magic
> [44] 1/1/1970 -- 00:02:32 - (suricata.c:1942) <Info> (SetupDelayedDetect) --
> Delayed detect disabled
> [44] 1/1/1970 -- 00:02:32 - (reputation.c:620) <Info> (SRepInit) -- IP
> reputation disabled
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/botcc.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/ciarmy.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/compromised.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/drop.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/dshield.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-activex.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-attack_response.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-chat.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-current_events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-dns.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-dos.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-exploit.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-ftp.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-games.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-icmp_info.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-imap.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-inappropriate.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-malware.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-misc.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-mobile_malware.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-netbios.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-p2p.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-policy.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-pop3.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-rpc.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-scada.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-scan.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-shellcode.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-smtp.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-snmp.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-sql.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-telnet.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-tftp.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-trojan.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-user_agents.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-voip.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-web_client.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-web_server.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-web_specific_apps.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/emerging-worm.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> /etc/suricata/rules/tor.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/decoder-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/stream-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/http-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/smtp-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/dns-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/tls-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/modbus-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> Loading rule file: /etc/suricata/rules/app-layer-events.rules
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern signatures
> [44] 1/1/1970 -- 00:02:32 - (detect.c:523) <Info> (SigLoadSignatures) -- 50
> rule files processed. 236 rules successfully loaded, 0 rules failed
> [44] 1/1/1970 -- 00:02:32 - (detect.c:2987) <Info> (SigAddressPrepareStage1)
> -- 236 signatures processed. 0 are IP-only rules, 0 are inspecting packet
> payload, 74 inspect application layer, 99 are decoder y
> [44] 1/1/1970 -- 00:02:32 - (detect.c:2990) <Info> (SigAddressPrepareStage1)
> -- building signature grouping structure, stage 1: preprocessing rules...
> complete
> [44] 1/1/1970 -- 00:02:33 - (detect.c:3623) <Info> (SigAddressPrepareStage2)
> -- building signature grouping structure, stage 2: building source address
> list... complete
> [44] 1/1/1970 -- 00:02:33 - (detect.c:4148) <Info> (SigAddressPrepareStage3)
> -- building signature grouping structure, stage 3: building destination
> address lists... complete
> [44] 1/1/1970 -- 00:02:33 - (util-threshold-config.c:1188) <Info>
> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
> [44] 1/1/1970 -- 00:02:33 - (util-coredump-config.c:122) <Info>
> (CoredumpLoadConfig) -- Core dump size set to unlimited.
> [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
> [44] 1/1/1970 -- 00:02:33 - (runmodes.c:739) <Warning>
> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log
> support not compiled in. Reconfigure/recompile with libjansson and its de.
> [44] 1/1/1970 -- 00:02:33 - (alert-unified2-alert.c:1353) <Info>
> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename
> unified2.alert, limit 32 MB
> [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized:
> http.log
> [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
> (SCConfLogOpenGeneric) -- stats output device (regular) initialized:
> stats.log
> [44] 1/1/1970 -- 00:02:33 - (util-runmodes.c:189) <Info>
> (RunModeSetLiveCaptureAutoFp) -- Using 1 live device(s).
> [45] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info> (PacketPoolInit)
> -- preallocated 1024 packets. Total memory 2887680
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:393) <Info>
> (ReceivePcapThreadInit) -- using interface eth0
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:398) <Info>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> interface state will require 1000 packets.
> [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:100) <Info> (GetIfaceMTU) -- Found
> an MTU of 1500 for 'eth0'
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:433) <Info>
> (ReceivePcapThreadInit) -- Set snaplen to 1516 for 'eth0'
> device eth0 entered promiscuous mode
> [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:178) <Info> (GetIfaceOffloading)
> -- Generic Receive Offload is set on eth0
> [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:200) <Info> (GetIfaceOffloading)
> -- Large Receive Offload is unset on eth0
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:516) <Warning>
> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap
> capture with GRO or LRO activated can lead to capture problems.
> [44] 1/1/1970 -- 00:02:33 - (runmode-pcap.c:293) <Info>
> (RunModeIdsPcapAutoFp) -- RunModeIdsPcapAutoFp initialised
> [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:721) <Info>
> (FlowManagerThreadSpawn) -- using 1 flow manager threads
> [47] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info> (PacketPoolInit)
> -- preallocated 1024 packets. Total memory 2887680
> [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:881) <Info>
> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
> [44] 1/1/1970 -- 00:02:33 - (tm-threads.c:2001) <Notice>
> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management
> threads initialized, engine started.
>
> As we can see from the debug messages, there is still one Warning message.
>
> Running this command: "/ # tail /var/log/suricata/http.log" gives nothing!
>
> Running this command: "/ # tail -n 50 /var/log/suricata/stats.log" gives the
> following logs:
>
> defrag.ipv6.fragments | Total | 0
> defrag.ipv6.reassembled | Total | 0
> defrag.ipv6.timeouts | Total | 0
> defrag.max_frag_hits | Total | 0
> tcp.sessions | Total | 0
> tcp.ssn_memcap_drop | Total | 0
> tcp.pseudo | Total | 0
> tcp.pseudo_failed | Total | 0
> tcp.invalid_checksum | Total | 0
> tcp.no_flow | Total | 0
> tcp.syn | Total | 0
> tcp.synack | Total | 0
> tcp.rst | Total | 0
> tcp.segment_memcap_drop | Total | 0
> tcp.stream_depth_reached | Total | 0
> tcp.reassembly_gap | Total | 0
> detect.alert | Total | 0
> flow_mgr.closed_pruned | Total | 0
> flow_mgr.new_pruned | Total | 0
> flow_mgr.est_pruned | Total | 0
> flow.spare | Total | 10000
> flow.emerg_mode_entered | Total | 0
> flow.emerg_mode_over | Total | 0
> flow.tcp_reuse | Total | 0
> tcp.memuse | Total | 286720
> tcp.reassembly_memuse | Total | 12244864
> dns.memuse | Total | 0
> dns.memcap_state | Total | 0
> dns.memcap_global | Total | 0
> http.memuse | Total | 0
> http.memcap | Total | 0
> flow.memuse | Total | 6394304
> -------------------------------------------------------------------
> Date: 11/10/2015 -- 11:35:42 (uptime: 0d, 00h 19m 28s)
> -------------------------------------------------------------------
> Counter | TM Name | Value
> -------------------------------------------------------------------
> capture.kernel_packets | Total | 0
> capture.kernel_drops | Total | 0
judging by the output above - for 19 min you have seen 0 packets on
that sniffing interface - is that really the case?
> capture.kernel_ifdrops | Total | 0
> decoder.pkts | Total | 0
> decoder.bytes | Total | 0
> decoder.invalid | Total | 0
> decoder.ipv4 | Total | 0
> decoder.ipv6 | Total | 0
> decoder.ethernet | Total | 0
> decoder.raw | Total | 0
> decoder.null | Total | 0
> decoder.sll | Total | 0
>
>
> Is it possible to tell me if everything is correct?
>
> Is there any test case that gives more explicit results?
>
> Thank you very much in advance.
>
> Best regards,
> Mahdi
>
>
> On Tue, Nov 10, 2015 at 8:55 AM, Scott Prader <rigrunn at gmail.com> wrote:
>>
>> I have compiled suricata on an armv6h, but did not cross-compile it. I
>> compiled it natively and it worked fine. It took some time, so I found
>> something else to do while it compiled.
>>
>> On Nov 10, 2015 1:47 AM, "Victor Julien" <lists at inliniac.net> wrote:
>>>
>>> On 10-11-15 08:46, Anoop Saldanha wrote:
>>>>
>>>> On Tue, Nov 10, 2015 at 12:59 PM, Anoop Saldanha
>>>> <anoopsaldanha at gmail.com> wrote:
>>>>>
>>>>> On Mon, Nov 9, 2015 at 11:06 PM, Peter Manev <petermanev at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> On Mon, Nov 9, 2015 at 3:00 PM, Mahdi Aichouch <foxmehdi at gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am trying to run Suricata on an ARMv7 architecture based board.
>>>>>>>
>>>>>>> After, I had successfully cross-compiled Suricata for my target, I
>>>>>>> tried to
>>>>>>> run Suricata on the board but I got an Aborted fault.
>>>>>>>
>>>>>>> Below is the command that I used in my test:
>>>>>>>
>>>>>>> $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i
>>>>>>> eth0
>>>>>>> --init-errors-fatal
>>>>>>
>>>>>>
>>>>>> Can you try adding the "-v" switch for more verbose output -
>>>>>> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
>>>>>> --init-errors-fatal -v
>>>>>>
>>>>>>>
>>>>>>> [35] 1/1/1970 -- 00:02:03 - (suricata.c:1073) <Notice>
>>>>>>> (SCPrintVersion) --
>>>>>>> This is Suricata version 2.1dev (rev 86711a1)
>>>>>>> Aborted.
>>>>>>>
>>>>>>> No further message are printed on the terminal.
>>>>>>>
>>>>>>> Could someone help me in figuring out what causes this issue.
>>>>>
>>>>>
>>>>> Trouble with some instructions generated for your architecture most
>>>>> likely. I would first try and make sure that I have cross compiled
>>>>> directly, and then zero in on the instructions generated by the
>>>>> compiler and make sure it is present ARMv7's ISA.
>>>>>
>>>>
>>>> My previous reply - s/cross compiled directly/cross compiled correctly/g
>>>>
>>>> As a later step on figuring out the instructions, you can look at the
>>>> kernel/system logs to figure out the instructions that caused the
>>>> error.
>>>>
>>>
>>> Don't forget passing --disable-gccmarch-native to configure before
>>> compiling.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona:
>>> http://oisfevents.net
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list