[Oisf-users] Suricata - vars and multiple interfaces

Davide Setti d.setti at certego.net
Thu Aug 9 12:44:04 UTC 2018


Hi Victor,

> > Device/interface tenants seems to work, also using a bridge interface (I
> > had to use it due to our span configuration). The only problem were a
> > couple segmentation faults that stopped suricata
> >
> > [1]    31271 segmentation fault (core dumped)  suricata -c suricata.yaml
> > --af-packet
> >
> > This may be caused because on our test machine there is also an other
> > running instance of suricata which was not stopped during my test.
> > If I find more time we could investigate, but ATM I don't know when.
>
> Ok, I would love to get more info. Please open a ticket or post the
> details here.
>

Today I updated my test suricata to PR/3448.

Regarding *segfault* now I think that it was my fault, cause I was running
an
other instance on the same host monitoring the same interfaces. Today I
switched off the other suricata and everything worked as expected.

Unfotunatelly -T switch keeps getting errors:
network-sensor suricata # suricata -c suricata.yaml -T
[17437] 9/8/2018 -- 06:51:42 - (suricata.c:1900) <Info> (ParseCommandLine)
-- Running suricata under test mode
[17437] 9/8/2018 -- 06:51:42 - (suricata.c:1084) <Notice> (LogVersion) --
This is Suricata version 4.1.0-dev (rev a3caef7)
[17437] 9/8/2018 -- 06:51:42 - (detect-engine.c:2967) <Warning>
(DetectEngineMultiTenantSetupLoadLivedevMappings) -- [ERRCODE:
SC_ERR_MT_NO_MAPPING(271)] - device eno2 not found
[17437] 9/8/2018 -- 06:51:42 - (detect-engine.c:3148) <Error>
(DetectEngineMultiTenantSetup) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] - no
multi-detect mappings defined
[17437] 9/8/2018 -- 06:51:42 - (suricata.c:2575) <Error>
(PostConfLoadedDetectSetup) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] -
initializing multi-detect detection engine contexts failed.


Thank you,
Davide
-- 
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180809/76a8e039/attachment.html>


More information about the Oisf-users mailing list