[Oisf-users] Myricom and Suricata

Edgmand, Craig craig.edgmand at okstate.edu
Tue Aug 28 17:25:06 UTC 2018 

I have attached the results using --pcap=snf0 utilizing a modified version of Michal's script.

________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: Monday, August 27, 2018 4:42:19 PM
To: Victor Julien
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Myricom and Suricata

Here is a short script I use to run Suricata on Myricom. Not that this configuration makes any sense since 2016 you're better off with Intel X710.


#!/bin/bash

CPU_NUM=`cat /proc/cpuinfo | grep -E 'model name' | wc -l`

if [[ "${CPU_NUM}" -eq 32 ]]; then
    export SNF_NUM_RINGS=16
elif [[ "${CPU_NUM}" -eq 56 ]]; then
    export SNF_NUM_RINGS=28
else
    exit 1;
fi

(that part is just a nice to have, export SNF_NUM_RINGS to whatever you want)

(change to match your deployment of course, keep the dataring 4x the descring size)

export LD_LIBRARY_PATH=/opt/snf/lib
export SNF_DATARING_SIZE=34359738368<tel:34359738368>
export SNF_DESCRING_SIZE=8589934592<tel:8589934592>

(Export this to get useful debug messages during startup. Does not impact the runtime performance)

export SNF_DEBUG_MASK=0x3

/opt/suricata/bin/suricata -c /etc/nsm/suricata.yaml --pcap=snf0


If that fails, please send full log to the mailng list.

--
M.

On Aug 27, 2018, at 2:00 PM, Victor Julien <lists at inliniac.net<mailto:lists at inliniac.net>> wrote:

On 27-08-18 22:26, Edgmand, Craig wrote:
I edited the pcap entry in suricata.yaml

pcap:
  - interface: p1p1
    threads: 16
    buffer-size: 2gb
    promisc: no

I ran variations of this command..

# SNF_NUM_RINGS=16 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296
SNF_DESCRING_SIZE=1073741824 /opt/suricata/bin/suricata -i p1p1 -c
/opt/suricata/etc/suricata/suricata.yaml -v --runmode=workers

After running these you look at myri_counters it shows no packets using
the sniffer interface.

                     SNF recv pkts:                    0
                SNF drop ring full:                    0

If you try to run the tests using the snf0 interface, suricata dies.

How does it die? Any errors?


Any thoughts?  I have reviewed the documentation from Myricom and
Suricata as well.

Thanks,

What happens if you replace -i p1p1 with --pcap=p1p1 ?



--
---------------------------------------------
Victor Julien
http://www.inliniac.net/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.inliniac.net%2F&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633369743&sdata=k%2FvP6wqjuE7F%2Ffr4xC6nFPusKnaV4KpfjdTbmhFazvc%3D&reserved=0>
PGP: http://www.inliniac.net/victorjulien.asc<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.inliniac.net%2Fvictorjulien.asc&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633369743&sdata=SfkCYeTnI2qpO4Yq95Si7A9B9w8vkFcx4AvHTCTd9NE%3D&reserved=0>
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuricata-ids.org&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633379747&sdata=Cfe2VmcrrHhjDUI9Ep5Z2Cjb65Kp96MD%2FjAL04dQKa0%3D&reserved=0> | Support: http://suricata-ids.org/support/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuricata-ids.org%2Fsupport%2F&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633389756&sdata=7mkmoJAo68sn2d4ZKuktOVEqLqs695nHUfEW0%2BESuss%3D&reserved=0>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openinfosecfoundation.org%2Fmailman%2Flistinfo%2Foisf-users&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633399768&sdata=f5ZRYOEor%2B9SWki8y4o%2FO8D7ZAWQVDc27hLFjTyCf2w%3D&reserved=0>

Conference: https://suricon.net<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsuricon.net&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633409777&sdata=d%2BuslyyJsIj43xK3%2B2hUXN0x2t7X0A4%2FcT4Nv%2B5R2SA%3D&reserved=0>
Trainings: https://suricata-ids.org/training/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsuricata-ids.org%2Ftraining%2F&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7C4d41576d37d74fd30dcd08d60c66048a%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636710029633419781&sdata=uBK8BPVPFj4zeI%2Fh%2BUEycKpxS1z2WXorc6Fl7MfbV90%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180828/9ad1e4b7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snf0.out
Type: application/octet-stream
Size: 47990 bytes
Desc: snf0.out
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180828/9ad1e4b7/attachment-0001.obj>

More information about the Oisf-users mailing list