[Oisf-users] Suricata - vars and multiple interfaces

Victor Julien lists at inliniac.net
Thu Aug 9 12:47:33 UTC 2018 

On 09-08-18 14:44, Davide Setti wrote:
> Hi Victor, 
> 
>     > Device/interface tenants seems to work, also using a bridge interface (I
>     > had to use it due to our span configuration). The only problem were a
>     > couple segmentation faults that stopped suricata
>     > 
>     > [1]    31271 segmentation fault (core dumped)  suricata -c suricata.yaml
>     > --af-packet
>     > 
>     > This may be caused because on our test machine there is also an other
>     > running instance of suricata which was not stopped during my test.
>     > If I find more time we could investigate, but ATM I don't know when.
> 
>     Ok, I would love to get more info. Please open a ticket or post the
>     details here.
> 
>  
> Today I updated my test suricata to PR/3448.
> 
> Regarding /segfault/ now I think that it was my fault, cause I was
> running an 
> other instance on the same host monitoring the same interfaces. Today I 
> switched off the other suricata and everything worked as expected.
> 
> Unfotunatelly -T switch keeps getting errors:
> network-sensor suricata # suricata -c suricata.yaml -T         
> [17437] 9/8/2018 -- 06:51:42 - (suricata.c:1900) <Info>
> (ParseCommandLine) -- Running suricata under test mode
> [17437] 9/8/2018 -- 06:51:42 - (suricata.c:1084) <Notice> (LogVersion)
> -- This is Suricata version 4.1.0-dev (rev a3caef7)
> [17437] 9/8/2018 -- 06:51:42 - (detect-engine.c:2967) <Warning>
> (DetectEngineMultiTenantSetupLoadLivedevMappings) -- [ERRCODE:
> SC_ERR_MT_NO_MAPPING(271)] - device eno2 not found
> [17437] 9/8/2018 -- 06:51:42 - (detect-engine.c:3148) <Error>
> (DetectEngineMultiTenantSetup) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] -
> no multi-detect mappings defined
> [17437] 9/8/2018 -- 06:51:42 - (suricata.c:2575) <Error>
> (PostConfLoadedDetectSetup) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] -
> initializing multi-detect detection engine contexts failed.


you would need to run:

suricata -c suricata.yaml -T --af-packet

as Suricata won't know what capture method you intend to use.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list