[Oisf-users] Problems starting Suricata

Amar Rathore - CounterSnipe Systems amar at countersnipe.com
Wed Oct 25 21:36:08 UTC 2017


Hi Charles

If that works for you, is the fix not achievable by setting those options in configuration files using ETHTOOL_OPTS parameter?

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html

Moreover, I would be interested in learning as to how you arrived at that resolve in the first place?

Amar


> On October 25, 2017 at 12:13 PM Charles Devoe <Charles.Devoe at cisecurity.org> wrote:
> 
> 
>     I have a Dell R630 system with an Intel X710 DP 10 GB DA/SFP+ + I350 DP 1GB Daughter card and an Intel X710 Dual Port 10GB PCI Card. 
> 
>     It is Running Red Hat 6.8 kernel  3.8.13-118.8.1.el6uek.x86_64, Suricata 3.0
> 
>      
> 
>     NIC driver: i40e, version: 2.2.4 Latest firmware.
> 
> 
>     When the system boots the NIC cards will only observe broadcast traffic.  In order for the card to receive all traffic being forwarded to it I have to do the following
> 
>     1.  Stop em1, em2, p3p1,p3p2 (ifdown)
>     2.  modprobe –r i40e
> 
>     3.  modprobe i40e
> 
>     4. Configure the interfaces
> 
>         ethtool -K em1 tso off gro off ufo off lro off gso off rx off tx off rxvlan off txvlan off
> 
>         ethtool -L em1 combined 1
> 
>         ethtool -K em2 tso off gro off ufo off lro off gso off rx off tx off rxvlan off txvlan off
> 
>         ethtool -L em2 combined 1
> 
>         ethtool -K p3p1 tso off gro off ufo off lro off gso off rx off tx off rxvlan off txvlan off
> 
>         ethtool -L p3p1 combined 1
> 
>         ethtool -K p3p2 tso off gro off ufo off lro off gso off rx off tx off rxvlan off txvlan off
> 
>         ethtool -L p3p2 combined 1
> 
>     5. Bring the interfaces up (ifup)
>     6.  Start Suricata
> 
>     We have 100+ sensors with Intel cards in them with no issues. 
> 
>     Has anyone experienced this issue and is there a fix????
> 
> 
>          
> 
>          
> 
>     This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
> 
>     . . . . .
> 


 

> _______________________________________________
>     Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>     Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>     List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
>     Conference: https://suricon.net
>     Trainings: https://suricata-ids.org/training/
> 


Kind regards

Amar Rathore

CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com <http://www.countersnipe.com/>


This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171025/a29c4ddc/attachment-0002.html>


More information about the Oisf-users mailing list