[Oisf-users] Problems running Suricata 3.1.1 under FreeBSD 10.3

Peter Manev petermanev at gmail.com
Thu Jul 28 22:06:38 UTC 2016 

On Wed, Jul 27, 2016 at 2:38 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
> Hi all,
>
>  When I try to start suricata with these options: "--pcap -v -k none -D" under a FreeBSD 10.3 host (amd64, fully patched), the following errors appears:
>
> 27/7/2016 -- 13:29:53 - <Notice> - This is Suricata version 3.1.1 RELEASE
> 27/7/2016 -- 13:29:53 - <Info> - CPUs/cores online: 1
> 27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet0'
> 27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet3'
> 27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet5'
> 27/7/2016 -- 13:29:53 - <Info> - Max dump is 0
> 27/7/2016 -- 13:29:53 - <Info> - Core dump setting attempted is 0
> 27/7/2016 -- 13:29:53 - <Info> - Core dump size set to 0
> 27/7/2016 -- 13:29:53 - <Info> - 3 rule files processed. 35 rules successfully loaded, 0 rules failed
> 27/7/2016 -- 13:29:53 - <Info> - 35 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 35 inspect application layer, 0 are decoder event only
> 27/7/2016 -- 13:29:53 - <Info> - Threshold config parsed: 0 rule(s) found
> 27/7/2016 -- 13:29:53 - <Info> - fast output device (regular) initialized: fast.log
> 27/7/2016 -- 13:29:53 - <Info> - stats output device (regular) initialized: stats.log
> 27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
> 27/7/2016 -- 13:29:53 - <Info> - using interface
> 27/7/2016 -- 13:29:53 - <Error> - [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error BIOCSETIF failed: Device not configured

Which interface triggers that err above?

> 27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
> 27/7/2016 -- 13:29:53 - <Info> - using interface vtnet0
> 27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet0'
> 27/7/2016 -- 13:29:53 - <Info> - Set snaplen to 1524 for 'vtnet0'
> 27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
> 27/7/2016 -- 13:29:53 - <Info> - using interface vtnet3
> 27/7/2016 -- 13:29:53 - <Info> - Found an MTU of 1500 for 'vtnet3'
> 27/7/2016 -- 13:29:53 - <Info> - Set snaplen to 1524 for 'vtnet3'
> 27/7/2016 -- 13:29:53 - <Info> - Going to use 1 thread(s)
> 27/7/2016 -- 13:29:54 - <Info> - using interface vtnet5
> 27/7/2016 -- 13:29:54 - <Info> - Found an MTU of 1500 for 'vtnet5'
> 27/7/2016 -- 13:29:54 - <Info> - Set snaplen to 1524 for 'vtnet5'
> 27/7/2016 -- 13:29:54 - <Info> - RunModeIdsPcapWorkers initialised
> 27/7/2016 -- 13:29:54 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-" closed on initialization.
> 27/7/2016 -- 13:29:54 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
>
>  I have configured pcap's options in suricata.yaml:
>
> # Cross platform libpcap capture support
> pcap:
>   - interface: vtnet0
>     # On Linux, pcap will try to use mmaped capture and will use buffer-size
>     # as total of memory used by the ring. So set this to something bigger
>     # than 1% of your bandwidth.
>     #buffer-size: 16777216
>     #bpf-filter: "tcp and port 25"
>     # Choose checksum verification mode for the interface. At the moment
>     # of the capture, some packets may be with an invalid checksum due to
>     # offloading to the network card of the checksum computation.
>     # Possible values are:
>     #  - yes: checksum validation is forced
>     #  - no: checksum validation is disabled
>     #  - auto: suricata uses a statistical approach to detect when
>     #  checksum off-loading is used. (default)
>     # Warning: 'checksum-validation' must be set to yes to have any validation
>     #checksum-checks: no
>     # With some accelerator cards using a modified libpcap (like myricom), you
>     # may want to have the same number of capture threads as the number of capture
>     # rings. In this case, set up the threads variable to N to start N threads
>     # listening on the same interface.
>     #threads: 16
>     # set to no to disable promiscuous mode:
>     #promisc: no
>     # set snaplen, if not set it defaults to MTU if MTU can be known
>     # via ioctl call and to full capture if not.
>     #snaplen: 1518
>   - interface: vtnet3
>   - interface: vtnet5
>   # Put default values here
>   - interface: default
>     checksum-checks: no
>
>
>  .. And running with thes other switches: "--pcap=vtnet0 --pcap=vtnet3 --pcap=vtnet5 -v -k none -D", all works ok. Any idea why?? Maybe the problem is to try to run suricata with multiple interfaces??
>
> Thanks.
>
> --
> Greetings,
> C. L. Martinez
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list