[Oisf-users] Suricata with PF_RING and IXGBE
Yasha Zislin
coolyasha at hotmail.com
Mon Feb 29 16:38:44 UTC 2016
Peter,
I run with -vv switch and suricata.log only has this warning:<Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.
I assume it would be unrelated.
> Date: Mon, 29 Feb 2016 17:22:02 +0100
> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: oisf-users at lists.openinfosecfoundation.org
>
> On Mon, Feb 29, 2016 at 3:52 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > I have a weird problem. I have a bunch of sensors running in CentOS 6 with
> > latest pf_ring and Suricata 2.1beta4.
> > Most of the sensors have HP fiber nics (10 gigs) for monitoring interfaces
> > but two of them have Intel 82599 (ixgbe).
> > One of these Intel sensors is active and the other is standby. Standby
> > barely has any traffic on monitored interface (about 400 packets a minute
> > which are all broadcast).
> > When I start suricata service on the standby, it is impossible to reload
> > rules or to stop it. On stop it eventually dies off with this message:
>
> When you start Suricata on the standby sensor - is there any err in
> the suricata.log (when using the -v switch)?
>
> > <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
> > thread - "RxPFReth21". Killing engine
> >
> > I've flipped the active and standby to check if the server/hardware is the
> > problem. The issue moved to the other server when it became standby.
> >
> > I've installed the latest Intel Driver. I've set everything on it as per
> > article:
> > http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
> >
> > I've tried killing irqbalance and setting affinity. No luck.
> > I did however noticed that if i reduce number of threads to 1, everything is
> > working. But when it is more than one, the issue starts.
> >
> > Did anybody else have this issue with Intel cards and PF_RING???
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160229/15e3b90b/attachment-0002.html>
More information about the Oisf-users
mailing list