[Oisf-users] Suricata with PF_RING and IXGBE

Yasha Zislin coolyasha at hotmail.com
Mon Mar 7 14:45:14 UTC 2016


Awesome news Victor. I would think a lot of people would be affected with active/stand by inspection configured.
Do you have an estimate when this might get done? And would this be only  in Suricata 3.0 or in 2.1beta4 as well?
Thanks again.

> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> From: lists at inliniac.net
> Date: Mon, 7 Mar 2016 15:12:00 +0100
> 
> On 29-02-16 18:54, Yasha Zislin wrote:
> > I've reached out to PF_RING folks and they tried to provide a patch but
> > it was declined by Suricata.
> 
> Actually, they disappeared after we suggested some improvements. Not
> quite the same as rejecting.
> 
> Anyway, I talked to Alfredo and will merge his 'break loop' work soon.
> That will address the shutdown issue.
> 
> Cheers,
> Victor
> 
> > 
> > https://github.com/inliniac/suricata/pull/1696
> > https://github.com/inliniac/suricata/commit/4c7d0ae0fb8a00a2b17803dc981cdf0cc841f381
> > 
> > This patch supposed to fix the issue with no traffic on the thread.
> > 
> >> To: oisf-users at lists.openinfosecfoundation.org
> >> From: lists at inliniac.net
> >> Date: Mon, 29 Feb 2016 17:24:43 +0100
> >> Subject: Re: [Oisf-users] Suricata with PF_RING and IXGBE
> >>
> >> On 29-02-16 15:52, Yasha Zislin wrote:
> >> > I have a weird problem. I have a bunch of sensors running in CentOS 6
> >> > with latest pf_ring and Suricata 2.1beta4.
> >> > Most of the sensors have HP fiber nics (10 gigs) for monitoring
> >> > interfaces but two of them have Intel 82599 (ixgbe).
> >> > One of these Intel sensors is active and the other is standby. Standby
> >> > barely has any traffic on monitored interface (about 400 packets a
> >> > minute which are all broadcast).
> >> > When I start suricata service on the standby, it is impossible to reload
> >> > rules or to stop it. On stop it eventually dies off with this message:
> >> > <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
> >> > thread - "RxPFReth21". Killing engine
> >> >
> >> > I've flipped the active and standby to check if the server/hardware is
> >> > the problem. The issue moved to the other server when it became standby.
> >> >
> >> > I've installed the latest Intel Driver. I've set everything on it as per
> >> > article:
> >> >
> > http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
> >> >
> >> > I've tried killing irqbalance and setting affinity. No luck.
> >> > I did however noticed that if i reduce number of threads to 1,
> >> > everything is working. But when it is more than one, the issue starts.
> >> >
> >> > Did anybody else have this issue with Intel cards and PF_RING???
> >>
> >> This looks a lot like this issue here:
> >> https://redmine.openinfosecfoundation.org/issues/1716
> >>
> >> The problem could be that some threads never get traffic.
> >>
> >> --
> >> ---------------------------------------------
> >> Victor Julien
> >> http://www.inliniac.net/
> >> PGP: http://www.inliniac.net/victorjulien.asc
> >> ---------------------------------------------
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
> 
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160307/bf5f5da7/attachment-0002.html>


More information about the Oisf-users mailing list