[Oisf-users] suricata 4.1 eBpf load balance
mazhuang at 17paipai.cn
mazhuang at 17paipai.cn
Mon Oct 8 03:57:48 UTC 2018
Hi Eric
I used the new code, and the permission issue was resolved, but the load balancing issue remained
[root at yg suricata]# suricata --af-packet=ens4f1 --runmode=workers -c /etc/suricata/suricata.yaml -vvv
[14754] 8/10/2018 -- 11:46:05 - (conf-yaml-loader.c:273) <Info> (ConfYamlParse) -- Configuration node 'extended' redefined.
[14754] 8/10/2018 -- 11:46:05 - (suricata.c:1076) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 325f336f6)
[14754] 8/10/2018 -- 11:46:05 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 40
[14754] 8/10/2018 -- 11:46:05 - (app-layer-htp.c:2197) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 31467 and 'request-body-inspect-window' set to 3900 after randomization.
[14754] 8/10/2018 -- 11:46:05 - (app-layer-htp.c:2215) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 40414 and 'response-body-inspect-window' set to 16683 after randomization.
[14754] 8/10/2018 -- 11:46:05 - (app-layer-dns-udp.c:362) <Config> (DNSUDPConfigure) -- DNS request flood protection level: 500
[14754] 8/10/2018 -- 11:46:05 - (app-layer-dns-udp.c:374) <Config> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
[14754] 8/10/2018 -- 11:46:05 - (app-layer-dns-udp.c:386) <Config> (DNSUDPConfigure) -- DNS global memcap: 16777216
[14754] 8/10/2018 -- 11:46:05 - (app-layer-modbus.c:1514) <Config> (RegisterModbusParsers) -- Protocol detection and parser disabled for modbus protocol.
[14754] 8/10/2018 -- 11:46:05 - (app-layer-enip.c:416) <Config> (RegisterENIPUDPParsers) -- Protocol detection and parser disabled for enip protocol.
[14754] 8/10/2018 -- 11:46:05 - (app-layer-dnp3.c:1598) <Config> (RegisterDNP3Parsers) -- Protocol detection and parser disabled for DNP3.
[14754] 8/10/2018 -- 11:46:06 - (host.c:254) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[14754] 8/10/2018 -- 11:46:06 - (host.c:277) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136
[14754] 8/10/2018 -- 11:46:06 - (host.c:279) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432
[14754] 8/10/2018 -- 11:46:06 - (util-coredump-config.c:122) <Config> (CoredumpLoadConfig) -- Core dump size is unlimited.
[14754] 8/10/2018 -- 11:46:06 - (defrag-hash.c:249) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[14754] 8/10/2018 -- 11:46:06 - (defrag-hash.c:274) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 168
[14754] 8/10/2018 -- 11:46:06 - (defrag-hash.c:281) <Config> (DefragInitConfig) -- defrag memory usage: 14679896 bytes, maximum: 33554432
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:396) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:415) <Config> (StreamTcpInitConfig) -- stream "memcap": 67108864
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:421) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:427) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:444) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:472) <Config> (StreamTcpInitConfig) -- stream."inline": disabled
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:485) <Config> (StreamTcpInitConfig) -- stream "bypass": disabled
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:507) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:529) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 268435456
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:547) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:623) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2558
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:625) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2650
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:637) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
[14754] 8/10/2018 -- 11:46:06 - (stream-tcp-reassemble.c:381) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048
[14754] 8/10/2018 -- 11:46:06 - (util-logopenfile.c:501) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[14754] 8/10/2018 -- 11:46:06 - (util-logopenfile.c:501) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve-%y-%m-%d.json
[14754] 8/10/2018 -- 11:46:06 - (runmodes.c:606) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert'
[14754] 8/10/2018 -- 11:46:06 - (runmodes.c:606) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns'
[14754] 8/10/2018 -- 11:46:06 - (util-logopenfile.c:501) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[14754] 8/10/2018 -- 11:46:06 - (suricata.c:2371) <Config> (SetupDelayedDetect) -- Delayed detect disabled
[14754] 8/10/2018 -- 11:46:06 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1509) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: ac, SPM: bm
[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1905) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1929) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist (default) 53, 135, 5060
[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1957) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM
[14754] 8/10/2018 -- 11:46:06 - (reputation.c:609) <Config> (SRepInit) -- IP reputation disabled
[14754] 8/10/2018 -- 11:46:06 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/suricata.rules
[14754] 8/10/2018 -- 11:46:07 - (detect-parse.c:1938) <Info> (SigInit) -- Rule with ID 2026440 is bidirectional, but source and destination are the same, treating the rule as unidirectional
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/pass.rules
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/local.rules
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-loader.c:351) <Info> (SigLoadSignatures) -- 3 rule files processed. 19637 rules successfully loaded, 0 rules failed
[14754] 8/10/2018 -- 11:46:08 - (util-threshold-config.c:1129) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_uri
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_request_line
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_client_body
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_response_line
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header_names
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header_names
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept_enc
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept_lang
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_referer
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_connection
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_len
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_len
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_type
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_type
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_protocol
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_protocol
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_start
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_start
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_header
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_header
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_method
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_cookie
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_cookie
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_uri
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_user_agent
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_host
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_host
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_stat_msg
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_stat_code
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dns_query
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_sni
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_issuer
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_subject
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_serial
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_fingerprint
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ja3_hash
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ja3_string
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_protocol
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_protocol
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_software
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_software
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1398) <Info> (SigAddressPrepareStage1) -- 20544 signatures processed. 2981 are IP-only rules, 6158 are inspecting packet payload, 13593 inspect application layer, 0 are decoder event only
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1401) <Config> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[14754] 8/10/2018 -- 11:46:08 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Locky' is checked but not set. Checked in 2026434 and 0 other sigs
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- TCP toserver: 41 port groups, 34 unique SGH's, 7 copies
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- UDP toclient: 21 port groups, 16 unique SGH's, 5 copies
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:986) <Perf> (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1023) <Perf> (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-build.c:1770) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 107
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 25
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 20
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 24
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 21
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 33
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 15
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 2
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri": 12
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_request_line": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_client_body": 5
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_response_line": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header": 6
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header": 3
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header_names": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_referer": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_len": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_type": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_type": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_start": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_header": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_raw_header": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_method": 3
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_cookie": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_cookie": 2
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent": 4
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_host": 2
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_stat_code": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query": 4
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver tls_sni": 2
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls_cert_issuer": 2
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls_cert_subject": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls_cert_serial": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver ssh_protocol": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data": 1
[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data": 5
[14754] 8/10/2018 -- 11:47:10 - (runmode-af-packet.c:344) <Info> (ParseAFPConfig) -- Using ebpf based cluster mode for AF_PACKET (iface ens4f1)
[14754] 8/10/2018 -- 11:47:10 - (runmode-af-packet.c:376) <Config> (ParseAFPConfig) -- af-packet will use '/etc/suricata/ebpf/lb.bpf' as eBPF load balancing file
[14754] 8/10/2018 -- 11:47:10 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- ens4f1: enabling zero copy mode by using data release call
[14754] 8/10/2018 -- 11:47:10 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s)
[14754] 8/10/2018 -- 11:47:10 - (flow-manager.c:819) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads
[14754] 8/10/2018 -- 11:47:10 - (flow-manager.c:980) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
[14754] 8/10/2018 -- 11:47:10 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[14754] 8/10/2018 -- 11:47:10 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[14754] 8/10/2018 -- 11:47:10 - (tm-threads.c:2172) <Notice> (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, 4 management threads initialized, engine started.
[14939] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14939] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14940] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14940] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14941] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14941] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14942] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14942] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14943] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14943] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14944] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14944] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14945] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14945] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14946] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14946] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14947] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14947] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14948] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14948] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14949] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14949] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14950] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14950] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14951] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14951] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14952] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14952] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14953] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14953] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14954] 8/10/2018 -- 11:47:13 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket
[14954] 8/10/2018 -- 11:47:13 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020
[14954] 8/10/2018 -- 11:47:13 - (source-af-packet.c:513) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
[14955] 8/10/2018 -- 11:47:32 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970452, ts.tv_usec:542) flow_spare_q status(): 305% flows at the queue
[14955] 8/10/2018 -- 11:47:39 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970458, ts.tv_usec:999404) flow_spare_q status(): 55% flows at the queue
[14955] 8/10/2018 -- 11:47:45 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970465, ts.tv_usec:1208) flow_spare_q status(): 255% flows at the queue
[14955] 8/10/2018 -- 11:47:51 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970470, ts.tv_usec:998735) flow_spare_q status(): 344% flows at the queue
[14955] 8/10/2018 -- 11:47:58 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970477, ts.tv_usec:999859) flow_spare_q status(): 75% flows at the queue
[14955] 8/10/2018 -- 11:48:06 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970485, ts.tv_usec:997592) flow_spare_q status(): 31% flows at the queue
^C[14754] 8/10/2018 -- 11:48:09 - (suricata.c:2733) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[14955] 8/10/2018 -- 11:48:09 - (flow-manager.c:798) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[14754] 8/10/2018 -- 11:48:10 - (suricata.c:1100) <Info> (SCPrintElapsedTime) -- time elapsed 60.133s
[14956] 8/10/2018 -- 11:48:11 - (flow-manager.c:949) <Perf> (FlowRecycler) -- 1073195 flows processed
[14939] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-ens4f1) Kernel: Packets 40504054, dropped 34228573
[14939] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14940] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#02-ens4f1) Kernel: Packets 36, dropped 0
[14940] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14941] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#03-ens4f1) Kernel: Packets 62, dropped 0
[14941] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14942] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#04-ens4f1) Kernel: Packets 59, dropped 0
[14942] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14943] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#05-ens4f1) Kernel: Packets 105, dropped 0
[14943] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14944] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#06-ens4f1) Kernel: Packets 126, dropped 0
[14944] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14945] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#07-ens4f1) Kernel: Packets 76, dropped 0
[14945] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14946] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#08-ens4f1) Kernel: Packets 86, dropped 0
[14946] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14947] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#09-ens4f1) Kernel: Packets 81, dropped 0
[14947] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14948] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#10-ens4f1) Kernel: Packets 76, dropped 0
[14948] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14949] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#11-ens4f1) Kernel: Packets 80, dropped 0
[14949] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14950] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#12-ens4f1) Kernel: Packets 58, dropped 0
[14950] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14951] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#13-ens4f1) Kernel: Packets 57, dropped 0
[14951] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14952] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#14-ens4f1) Kernel: Packets 77, dropped 0
[14952] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14953] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#15-ens4f1) Kernel: Packets 42, dropped 0
[14953] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14954] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#16-ens4f1) Kernel: Packets 524725, dropped 224653
[14954] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'
[14754] 8/10/2018 -- 11:48:11 - (counters.c:815) <Info> (StatsLogSummary) -- Alerts: 128
[14754] 8/10/2018 -- 11:48:12 - (ippair.c:290) <Perf> (IPPairPrintStats) -- ippair memory usage: 414144 bytes, maximum: 16777216
[14754] 8/10/2018 -- 11:48:12 - (host.c:294) <Perf> (HostPrintStats) -- host memory usage: 604320 bytes, maximum: 33554432
[14754] 8/10/2018 -- 11:48:12 - (detect-engine-build.c:1704) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[14754] 8/10/2018 -- 11:48:12 - (util-device.c:328) <Notice> (LiveDeviceListClean) -- Stats for 'ens4f1': pkts: 41029800, drop: 34453226 (83.97%), invalid chksum: 54
mazhuang at 17paipai.cn
From: Eric Leblond
Date: 2018-10-02 21:03
To: mazhuang at 17paipai.cn; Konstantin Klinger; Michał Purzyński
CC: oisf-users
Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
Hello,
I've just pushed https://github.com/regit/suricata/tree/ebpf-update-3
Could you give a try ? It should work better.
BR,
--
Eric Leblond
On Wed, 2018-09-19 at 15:02 +0800, mazhuang at 17paipai.cn wrote:
> Hi Konstantin
> af-packet:
> - interface: ens4f1
> threads: 40
> cluster-id: 99
> cluster-type: cluster_ebpf
> defrag: yes
> ebpf-lb-file: /etc/suricata/ebpf/lb.bpf
> use-mmap: yes
>
> mazhuang at 17paipai.cn
> >
> > From: Konstantin Klinger
> > Date: 2018-09-19 12:23
> > To: Michał Purzyński
> > CC: mazhuang at 17paipai.cn; Open Information Security Foundation
> > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > Hi,
> >
> > I would be interested how you have included this bpf filter into
> > your config?
> >
> > Cheers,
> >
> > Konstantin
> >
> > --
> > Konstantin Klinger
> > Security Content Engineer
> > Threat Detection & Hunting (TDH)
> >
> > +49 160 95476260
> > konstantin.klinger at dcso.de
> >
> > dcso.de
> > blog.dcso.de
> >
> > PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
> >
> > DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
> > 22 • 10829 Berlin, Germany
> > Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft:
> > Berlin,
> > Amtsgericht Charlottenburg HRB 172382
> >
> > Am 18.09.2018 um 20:22 schrieb Michał Purzyński <
> > michalpurzynski1 at gmail.com>:
> >
> > > Can you stop sending screenshoots and just C&P logs instead?
> > >
> > > On Tue, Sep 18, 2018 at 7:53 AM mazhuang at 17paipai.cn <
> > > mazhuang at 17paipai.cn> wrote:
> > > > Hi Eric
> > > > I'sure have vlan in my traccic.
> > > >
> > > >
> > > > mazhuang at 17paipai.cn
> > > > >
> > > > > From: Eric Leblond
> > > > > Date: 2018-09-18 22:06
> > > > > To: mazhuang at 17paipai.cn; Peter Manev
> > > > > CC: oisf-users
> > > > > Subject: Re: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > > > > Hello,
> > > > >
> > > > > On Tue, 2018-09-18 at 21:42 +0800, mazhuang at 17paipai.cn
> > > > > wrote:
> > > > > > Hi Eric
> > > > > > I used the new lb.c error report as shown below
> > > > > > No permissions? The figure lb.bpf is readable
> > > > >
> > > > > OK, let me do some tests and tries here.
> > > > >
> > > > > Just to be sure, do you have VLAN in your traffic ?
> > > > >
> > > > > BR,
> > > > > --
> > > > > Eric
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > mazhuang at 17paipai.cn
> > > > > > >
> > > > > > > From: Eric Leblond
> > > > > > > Date: 2018-09-18 21:24
> > > > > > > To: mazhuang at 17paipai.cn; Peter Manev
> > > > > > > CC: oisf-users
> > > > > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > > > > > > Hello,
> > > > > > >
> > > > > > > On Tue, 2018-09-18 at 21:14 +0800, mazhuang at 17paipai.cn
> > > > > wrote:
> > > > > > > > Hi Peter
> > > > > > > > I'm using the suricata source code itself:
> > > > > > > > https://github.com/OISF/suricata/blob/master/ebpf/lb.c
> > > > > > >
> > > > > > > This code do not support VLAN maybe this is your issue.
> > > > > > >
> > > > > > > I've pushed a new version with VLAN support:
> > > > > > >
> > > > > > > https://github.com/regit/suricata/tree/ebpf-update
> > > > > > >
> > > > > > > Can you give it a try ?
> > > > > > >
> > > > > > > You can or use the branch or copy the lb.c to your source
> > > > > tree.
> > > > > > >
> > > > > > > BR,
> > > > > > > --
> > > > > > > Eric Leblond
> > > > > > >
> > > > > > > >
> > > > > > > > mazhuang at 17paipai.cn
> > > > > > > > >
> > > > > > > > > From: Peter Manev
> > > > > > > > > Date: 2018-09-18 21:12
> > > > > > > > > To: mazhuang
> > > > > > > > > CC: Open Information Security Foundation
> > > > > > > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load
> > > > > balance
> > > > > > > > > On Tue, Sep 18, 2018 at 2:48 PM mazhuang at 17paipai.cn
> > > > > > > > > <mazhuang at 17paipai.cn> wrote:
> > > > > > > > > >
> > > > > > > > > > Hi All
> > > > > > > > > > I followed
> > > > > > > > >
> > > > > > >
> > > > > https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html#setup-ebpf-load-balancing
> > > > > > > > > this tutorial to configure ebpf load balancing, but
> > > > > the result
> > > > > > > was
> > > > > > > > > only one core processing the data
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Suricata Version:4.1
> > > > > > > > > > OS:Centos 7
> > > > > > > > > > Kernel:Linux yg 4.18.8-1.el7.elrepo.x86_64 #1
> > > > > SMP Sat Sep
> > > > > > > 15
> > > > > > > > > 10:10:09 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
> > > > > > > > > > CPU:Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz
> > > > > x2
> > > > > > > > > > Memory:128G
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Can you share your balancer (lb.bpf) so i can try to
> > > > > reproduce?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Regards,
> > > > > > > > > Peter Manev
> > > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Suricata IDS Users mailing list:
> > > > > > > oisf-users at openinfosecfoundation.org
> > > > > > > > Site: http://suricata-ids.org | Support:
> > > > > > > > http://suricata-ids.org/support/
> > > > > > > > List:
> > > > > > > >
> > > > > > >
> > > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > > > > >
> > > > > > > > Conference: https://suricon.net
> > > > > > > > Trainings: https://suricata-ids.org/training/
> > > > > > > --
> > > > > > > Eric Leblond <eric at regit.org>
> > > > > > >
> > > > > --
> > > > > Eric Leblond <eric at regit.org>
> > > > >
> > > >
> > > > _______________________________________________
> > > > Suricata IDS Users mailing list:
> > > > oisf-users at openinfosecfoundation.org
> > > > Site: http://suricata-ids.org | Support:
> > > > http://suricata-ids.org/support/
> > > > List:
> > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > >
> > > > Conference: https://suricon.net
> > > > Trainings: https://suricata-ids.org/training/
> >
> > > _______________________________________________
> > > Suricata IDS Users mailing list:
> > > oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > > http://suricata-ids.org/support/
> > > List:
> > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Eric Leblond <eric at regit.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181008/daa3435e/attachment-0001.html>
More information about the Oisf-users
mailing list