[Oisf-users] Suricata and XDP
Peter Manev
petermanev at gmail.com
Mon Jun 10 16:13:37 UTC 2019
On Mon, Jun 10, 2019 at 6:09 PM ltishend <ltishend at uw.edu> wrote:
>
> > Can you please share how did you compile Suricata and what is the output of
> > "suricata --build-info" ?
>
> CC=clang ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr --enable-geoip --enable-luajit --enable-rust --enable-ebpf --enable-ebpf-build
>
> This is Suricata version 5.0.0-dev (rev c1b30fe9f)
> Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST
> SIMD support: SSE_4_2 SSE_4_1 SSE_3
> Atomic intrisics: 1 2 4 8 16 byte(s)
> 64-bits, Little-endian architecture
> GCC version 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final), C version 199901
> compiled with _FORTIFY_SOURCE=0
> L1 cache line size (CLS)=64
> thread local storage method: __thread
> compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30
>
> Suricata Configuration:
> AF_PACKET support: yes
> eBPF support: yes
> XDP support: yes
> PF_RING support: no
> NFQueue support: no
> NFLOG support: no
> IPFW support: no
> Netmap support: no
> DAG enabled: no
> Napatech enabled: no
> WinDivert enabled: no
>
> Unix socket enabled: yes
> Detection enabled: yes
>
> Libmagic support: yes
> libnss support: yes
> libnspr support: yes
> libjansson support: yes
> liblzma support: yes
> hiredis support: no
> hiredis async with libevent: no
> Prelude support: no
> PCRE jit: yes
> LUA support: yes, through luajit
> libluajit: yes
> libgeoip: yes
> Non-bundled htp: no
> Old barnyard2 support: no
> Hyperscan support: yes
> Libnet support: yes
> liblz4 support: yes
>
> Rust support: yes
> Rust strict mode: no
> Rust debug mode: no
> Rust compiler: rustc 1.30.0 (da5f414c2 2018-10-24)
> Rust cargo: cargo 1.30.0 (36d96825d 2018-10-24)
>
> Python support: yes
> Python path: /usr/bin/python3
> Python version: Python 3.6.7
> Python distutils yes
> Python yaml yes
> Install suricatactl: yes
> Install suricatasc: yes
> Install suricata-update: not bundled
>
> Profiling enabled: no
> Profiling locks enabled: no
>
> Development settings:
> Coccinelle / spatch: no
> Unit tests enabled: no
> Debug output enabled: no
> Debug validation enabled: no
>
> Generic build parameters:
> Installation prefix: /usr
> Configuration directory: /etc/suricata/
> Log directory: /var/log/suricata/
>
> --prefix /usr
> --sysconfdir /etc
> --localstatedir /var
> --datarootdir /usr/share
>
> Host: x86_64-pc-linux-gnu
> Compiler: clang (exec name) / clang (real)
> GCC Protect enabled: no
> GCC march native enabled: yes
> GCC Profile enabled: no
> Position Independent Executable enabled: no
> CFLAGS -g -O2 -march=native -I${srcdir}/../rust/gen/c-headers
> PCAP_CFLAGS -I/usr/include
> SECCFLAGS
>
>
Can you try installing libbpf like so -
cd /opt && \
git clone https://github.com/libbpf/libbpf && cd libbpf/src/ && \
make clean && make && \
make install && make install_headers && \
echo "/usr/lib64" > /etc/ld.so.conf.d/local.conf && \
ldconfig
Just to be sure you use the latest available (if you have not already
done so) - then recompile Suricata please - any difference ?
Thank you
>
> > -----Original Message-----
> > From: Peter Manev <petermanev at gmail.com>
> > Sent: Monday, June 10, 2019 9:07 AM
> > To: ltishend <ltishend at uw.edu>
> > Cc: Eric Leblond <eric at regit.org>; oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Suricata and XDP
> >
> > On Mon, Jun 10, 2019 at 5:08 PM ltishend <ltishend at uw.edu> wrote:
> > >
> > > I don't get any message on stdout when I start suricata via the command line.
> > Maybe that's part of the problem? No additional information dumps out to
> > syslog either.
> > >
> >
> > Can you please share how did you compile Suricata and what is the output of
> > "suricata --build-info" ?
> >
> > Thank you
> >
> >
> > >
> > > > -----Original Message-----
> > > > From: Eric Leblond <eric at regit.org>
> > > > Sent: Monday, June 10, 2019 7:59 AM
> > > > To: ltishend <ltishend at uw.edu>; Peter Manev <petermanev at gmail.com>
> > > > Cc: oisf-users at lists.openinfosecfoundation.org
> > > > Subject: Re: [Oisf-users] Suricata and XDP
> > > >
> > > > Hello,
> > > >
> > > > We should have some message from libbpf on stdout. Can we have a look at
> > it ?
> > > >
> > > > On Mon, 2019-06-10 at 14:26 +0000, ltishend wrote:
> > > > > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > > > > /var/run/suricata.pid -- af-packet -vvv and share the full output?
> > > > >
> > > > > [25180] 10/6/2019 -- 07:22:34 - (suricata.c:1067) <Notice>
> > > > > (LogVersion) -- This is Suricata version 5.0.0-dev (rev c1b30fe9f)
> > > > > running in SYSTEM mode [25180] 10/6/2019 -- 07:22:34 -
> > > > > (util-cpu.c:171) <Info>
> > > > > (UtilCpuPrintSummary) -- CPUs/cores online:
> > > > > 40
> > > > >
> > > > > [25180] 10/6/2019 -- 07:22:34 - (tmqh-flow.c:63) <Notice>
> > > > > (TmqhFlowRegister) -- using flow hash instead of active packets
> > > > >
> > > > > [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info>
> > > > > (SCConfLogOpenGeneric) -- eve-log output device (regular)
> > > > > initialized: eve.json
> > > > > [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476) <Info>
> > > > > (SCConfLogOpenGeneric) -- stats output device (regular) initialized:
> > > > > stats.log
> > > > > [25180] 10/6/2019 -- 07:22:34 - (util-conf.c:115) <Info>
> > > > > (ConfUnixSocketIsEnable) -- Running in live mode, activating unix
> > > > > socket [25180] 10/6/2019 -- 07:22:44 -
> > > > > (detect-engine-loader.c:351) <Info>
> > > > > (SigLoadSignatures) -- 2 rule files processed. 36833 rules
> > > > > successfully loaded, 0 rules failed [25180] 10/6/2019 -- 07:22:44
> > > > > - (util-threshold-config.c:1126) <Info>
> > > > > (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s)
> > > > > found [25180] 10/6/2019 -- 07:22:45 - (detect-engine-build.c:1426)
> > > > > <Info>
> > > > > (SigAddressPrepareStage1) -- 36833 signatures processed. 261 are
> > > > > IP- only rules, 13916 are inspecting packet payload, 22463 inspect
> > > > > application layer, 103 are decoder event only [25180] 10/6/2019 --
> > > > > 07:23:12 - (runmode-af-packet.c:441) <Info>
> > > > > (ParseAFPConfig) -- af-packet will use '/etc/suricata/xdp_filter.bpf'
> > > > > as XDP filter file
> > > > > [25180] 10/6/2019 -- 07:23:12 - (util-ebpf.c:308) <Error>
> > > > > (EBPFSetupXDP) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to
> > > > > set XDP on 'enp175s0f1': Invalid argument (-22) [25180] 10/6/2019
> > > > > --
> > > > > 07:23:12 - (runmode-af-packet.c:486) <Warning>
> > > > > (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error
> > > > > when setting up XDP [25180] 10/6/2019 -- 07:23:12 -
> > > > > (util-runmodes.c:297) <Info>
> > > > > (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 13
> > > > > thread(s) [25180] 10/6/2019 -- 07:23:13 - (util-conf.c:115) <Info>
> > > > > (ConfUnixSocketIsEnable) -- Running in live mode, activating unix
> > > > > socket [25180] 10/6/2019 -- 07:23:13 - (unix-manager.c:131) <Info>
> > > > > (UnixNew)
> > > > > -- Using unix socket file '/var/run/suricata/suricata-command.socket'
> > > > > [25180] 10/6/2019 -- 07:23:13 - (tm-threads.c:2157) <Notice>
> > > > > (TmThreadWaitOnThreadInit) -- all 13 packet processing threads, 5
> > > > > management threads initialized, engine started.
> > > > > [25204] 10/6/2019 -- 07:23:19 - (source-af-packet.c:509) <Info>
> > > > > (AFPPeersListReachedInc) -- All AFP capture threads are running.
> > > > >
> > > > > > ethtool -x your-interface-here
> > > > >
> > > > > X flow hash indirection table for enp175s0f1 with 13 RX ring(s):
> > > > > 0: 0 1 2 3 4 5 6 7
> > > > > 8: 8 9 10 11 12 0 1 2
> > > > > 16: 3 4 5 6 7 8 9 10
> > > > > 24: 11 12 0 1 2 3 4 5
> > > > > 32: 6 7 8 9 10 11 12 0
> > > > > 40: 1 2 3 4 5 6 7 8
> > > > > 48: 9 10 11 12 0 1 2 3
> > > > > 56: 4 5 6 7 8 9 10 11
> > > > > 64: 12 0 1 2 3 4 5 6
> > > > > 72: 7 8 9 10 11 12 0 1
> > > > > 80: 2 3 4 5 6 7 8 9
> > > > > 88: 10 11 12 0 1 2 3 4
> > > > > 96: 5 6 7 8 9 10 11 12
> > > > > 104: 0 1 2 3 4 5 6 7
> > > > > 112: 8 9 10 11 12 0 1 2
> > > > > 120: 3 4 5 6 7 8 9 10
> > > > > 128: 11 12 0 1 2 3 4 5
> > > > > 136: 6 7 8 9 10 11 12 0
> > > > > 144: 1 2 3 4 5 6 7 8
> > > > > 152: 9 10 11 12 0 1 2 3
> > > > > 160: 4 5 6 7 8 9 10 11
> > > > > 168: 12 0 1 2 3 4 5 6
> > > > > 176: 7 8 9 10 11 12 0 1
> > > > > 184: 2 3 4 5 6 7 8 9
> > > > > 192: 10 11 12 0 1 2 3 4
> > > > > 200: 5 6 7 8 9 10 11 12
> > > > > 208: 0 1 2 3 4 5 6 7
> > > > > 216: 8 9 10 11 12 0 1 2
> > > > > 224: 3 4 5 6 7 8 9 10
> > > > > 232: 11 12 0 1 2 3 4 5
> > > > > 240: 6 7 8 9 10 11 12 0
> > > > > 248: 1 2 3 4 5 6 7 8
> > > > > 256: 9 10 11 12 0 1 2 3
> > > > > 264: 4 5 6 7 8 9 10 11
> > > > > 272: 12 0 1 2 3 4 5 6
> > > > > 280: 7 8 9 10 11 12 0 1
> > > > > 288: 2 3 4 5 6 7 8 9
> > > > > 296: 10 11 12 0 1 2 3 4
> > > > > 304: 5 6 7 8 9 10 11 12
> > > > > 312: 0 1 2 3 4 5 6 7
> > > > > 320: 8 9 10 11 12 0 1 2
> > > > > 328: 3 4 5 6 7 8 9 10
> > > > > 336: 11 12 0 1 2 3 4 5
> > > > > 344: 6 7 8 9 10 11 12 0
> > > > > 352: 1 2 3 4 5 6 7 8
> > > > > 360: 9 10 11 12 0 1 2 3
> > > > > 368: 4 5 6 7 8 9 10 11
> > > > > 376: 12 0 1 2 3 4 5 6
> > > > > 384: 7 8 9 10 11 12 0 1
> > > > > 392: 2 3 4 5 6 7 8 9
> > > > > 400: 10 11 12 0 1 2 3 4
> > > > > 408: 5 6 7 8 9 10 11 12
> > > > > 416: 0 1 2 3 4 5 6 7
> > > > > 424: 8 9 10 11 12 0 1 2
> > > > > 432: 3 4 5 6 7 8 9 10
> > > > > 440: 11 12 0 1 2 3 4 5
> > > > > 448: 6 7 8 9 10 11 12 0
> > > > > 456: 1 2 3 4 5 6 7 8
> > > > > 464: 9 10 11 12 0 1 2 3
> > > > > 472: 4 5 6 7 8 9 10 11
> > > > > 480: 12 0 1 2 3 4 5 6
> > > > > 488: 7 8 9 10 11 12 0 1
> > > > > 496: 2 3 4 5 6 7 8 9
> > > > > 504: 10 11 12 0 1 2 3 4
> > > > > RSS hash key:
> > > > > 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:
> > > > > 5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:
> > > > > 6d:5a:6d:5a:6d:5a
> > > > > RSS hash function:
> > > > > toeplitz: on
> > > > > xor: off
> > > > > crc32: off
> > > > >
> > > > > > ethtool -n your-interface-here
> > > > >
> > > > > 13 RX rings available
> > > > > Total 0 rules
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Peter Manev <petermanev at gmail.com>
> > > > > > Sent: Saturday, June 8, 2019 12:32 AM
> > > > > > To: ltishend <ltishend at uw.edu>
> > > > > > Cc: oisf-users at lists.openinfosecfoundation.org
> > > > > > Subject: Re: [Oisf-users] Suricata and XDP
> > > > > >
> > > > > > On Sat, Jun 8, 2019 at 12:45 AM ltishend <ltishend at uw.edu> wrote:
> > > > > > > > What is your start command?
> > > > > > >
> > > > > > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > > > > > /var/run/suricata.pid --af-packet
> > > > > > >
> > > > > >
> > > > > > Can you please run it again with - /usr/bin/suricata -c
> > > > > > /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --
> > > > > > af-packet -vvv and share the full output?
> > > > > >
> > > > > > Also what is the output of
> > > > > > ethtool -x your-interface-here
> > > > > > ethtool -n your-interface-here
> > > > > >
> > > > > > Thank you
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > > Peter Manev
> > > > > _______________________________________________
> > > > > Suricata IDS Users mailing list:
> > > > > oisf-users at openinfosecfoundation.org
> > > > > Site: http://suricata-ids.org | Support:
> > > > > http://suricata-ids.org/support/
> > > > > List:
> > > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-user
> > > > > s
> > > > >
> > > > > Conference: https://suricon.net
> > > > > Trainings: https://suricata-ids.org/training/
> > >
> >
> >
> > --
> > Regards,
> > Peter Manev
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list