[Oisf-users] Suricata with PF_RING and IXGBE
Peter Manev
petermanev at gmail.com
Mon Feb 29 16:22:02 UTC 2016
On Mon, Feb 29, 2016 at 3:52 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> I have a weird problem. I have a bunch of sensors running in CentOS 6 with
> latest pf_ring and Suricata 2.1beta4.
> Most of the sensors have HP fiber nics (10 gigs) for monitoring interfaces
> but two of them have Intel 82599 (ixgbe).
> One of these Intel sensors is active and the other is standby. Standby
> barely has any traffic on monitored interface (about 400 packets a minute
> which are all broadcast).
> When I start suricata service on the standby, it is impossible to reload
> rules or to stop it. On stop it eventually dies off with this message:
When you start Suricata on the standby sensor - is there any err in
the suricata.log (when using the -v switch)?
> <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
> thread - "RxPFReth21". Killing engine
>
> I've flipped the active and standby to check if the server/hardware is the
> problem. The issue moved to the other server when it became standby.
>
> I've installed the latest Intel Driver. I've set everything on it as per
> article:
> http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
>
> I've tried killing irqbalance and setting affinity. No luck.
> I did however noticed that if i reduce number of threads to 1, everything is
> working. But when it is more than one, the issue starts.
>
> Did anybody else have this issue with Intel cards and PF_RING???
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list