[Oisf-users] suricata 4.1 eBpf load balance
Konstantin Klinger
Konstantin.Klinger at dcso.de
Wed Sep 19 04:23:53 UTC 2018
Hi,
I would be interested how you have included this bpf filter into your config?
Cheers,
Konstantin
--
Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)
+49 160 95476260<tel:+49%20160%2095476260>
konstantin.klinger at dcso.de<mailto:konstantin.klinger at dcso.de>
dcso.de<http://dcso.de/>
blog.dcso.de<http://blog.dcso.de/>
PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
22 • 10829 Berlin, Germany
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382
Am 18.09.2018 um 20:22 schrieb Michał Purzyński <michalpurzynski1 at gmail.com<mailto:michalpurzynski1 at gmail.com>>:
Can you stop sending screenshoots and just C&P logs instead?
On Tue, Sep 18, 2018 at 7:53 AM mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn> <mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>> wrote:
Hi Eric
I'sure have vlan in my traccic.
[cid:_Foxmail.1 at 7ad7e73e-7c32-4a5c-6f0c-eb6b704876b7]
________________________________
mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>
From: Eric Leblond<mailto:eric at regit.org>
Date: 2018-09-18 22:06
To: mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>; Peter Manev<mailto:petermanev at gmail.com>
CC: oisf-users<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: Re: [Oisf-users] suricata 4.1 eBpf load balance
Hello,
On Tue, 2018-09-18 at 21:42 +0800, mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn> wrote:
> Hi Eric
> I used the new lb.c error report as shown below
> No permissions? The figure lb.bpf is readable
OK, let me do some tests and tries here.
Just to be sure, do you have VLAN in your traffic ?
BR,
--
Eric
>
>
>
> mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>
> >
> > From: Eric Leblond
> > Date: 2018-09-18 21:24
> > To: mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>; Peter Manev
> > CC: oisf-users
> > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > Hello,
> >
> > On Tue, 2018-09-18 at 21:14 +0800, mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn> wrote:
> > > Hi Peter
> > > I'm using the suricata source code itself:
> > > https://github.com/OISF/suricata/blob/master/ebpf/lb.c
> >
> > This code do not support VLAN maybe this is your issue.
> >
> > I've pushed a new version with VLAN support:
> >
> > https://github.com/regit/suricata/tree/ebpf-update
> >
> > Can you give it a try ?
> >
> > You can or use the branch or copy the lb.c to your source tree.
> >
> > BR,
> > --
> > Eric Leblond
> >
> > >
> > > mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>
> > > >
> > > > From: Peter Manev
> > > > Date: 2018-09-18 21:12
> > > > To: mazhuang
> > > > CC: Open Information Security Foundation
> > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > > > On Tue, Sep 18, 2018 at 2:48 PM mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>
> > > > <mazhuang at 17paipai.cn<mailto:mazhuang at 17paipai.cn>> wrote:
> > > > >
> > > > > Hi All
> > > > > I followed
> > > >
> > https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html#setup-ebpf-load-balancing
> > > > this tutorial to configure ebpf load balancing, but the result
> > was
> > > > only one core processing the data
> > > > >
> > > > >
> > > > > Suricata Version:4.1
> > > > > OS:Centos 7
> > > > > Kernel:Linux yg 4.18.8-1.el7.elrepo.x86_64 #1 SMP Sat Sep
> > 15
> > > > 10:10:09 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
> > > > > CPU:Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz x2
> > > > > Memory:128G
> > > >
> > > >
> > > > Can you share your balancer (lb.bpf) so i can try to reproduce?
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > > Peter Manev
> > > >
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list:
> > oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
> > > Site: http://suricata-ids.org | Support:
> > > http://suricata-ids.org/support/
> > > List:
> > >
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
> > --
> > Eric Leblond <eric at regit.org<mailto:eric at regit.org>>
> >
--
Eric Leblond <eric at regit.org<mailto:eric at regit.org>>
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180919/6749e87e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Catch.jpg
Type: image/jpeg
Size: 293295 bytes
Desc: Catch.jpg
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180919/6749e87e/attachment-0001.jpg>
More information about the Oisf-users
mailing list