[Oisf-users] Suricata and XDP
ltishend
ltishend at uw.edu
Mon Jun 10 16:28:11 UTC 2019
> Can you try installing libbpf like so -
> cd /opt && \
> git clone https://github.com/libbpf/libbpf && cd libbpf/src/ && \ make clean &&
> make && \ make install && make install_headers && \ echo "/usr/lib64" >
> /etc/ld.so.conf.d/local.conf && \ ldconfig
>
> Just to be sure you use the latest available (if you have not already done so) -
> then recompile Suricata please - any difference ?
:/opt# git clone https://github.com/libbpf/libbpf && cd libbpf/src
Cloning into 'libbpf'...
remote: Enumerating objects: 176, done.
remote: Counting objects: 100% (176/176), done.
remote: Compressing objects: 100% (71/71), done.
remote: Total 725 (delta 102), reused 143 (delta 95), pack-reused 549
Receiving objects: 100% (725/725), 434.38 KiB | 20.68 MiB/s, done.
Resolving deltas: 100% (419/419), done.
:/opt/libbpf/src# make clean && make
rm -f *.o *.a *.so *.so.* *.pc
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c bpf.c -o bpf.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c btf.c -o btf.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c libbpf.c -o libbpf.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c libbpf_errno.c -o libbpf_errno.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c netlink.c -o netlink.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c nlattr.c -o nlattr.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c str_error.c -o str_error.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c libbpf_probes.c -o libbpf_probes.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c bpf_prog_linfo.c -o bpf_prog_linfo.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c xsk.c -o xsk.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c btf_dump.c -o btf_dump.o
cc -I. -I../include -I../include/uapi -fPIC -fvisibility=hidden -g -O2 -Werror -Wall -c hashmap.c -o hashmap.o
ar rcs libbpf.a bpf.o btf.o libbpf.o libbpf_errno.o netlink.o nlattr.o str_error.o libbpf_probes.o bpf_prog_linfo.o xsk.o btf_dump.o hashmap.o
cc -shared -lelf -Wl,--version-script=libbpf.map \
-Wl,-soname,libbpf.so.0 \
bpf.o btf.o libbpf.o libbpf_errno.o netlink.o nlattr.o str_error.o libbpf_probes.o bpf_prog_linfo.o xsk.o btf_dump.o hashmap.o -o libbpf.so.0.0.3
ln -sf libbpf.so.0.0.3 libbpf.so.0
ln -sf libbpf.so.0 libbpf.so
sed -e "s|@PREFIX@|/usr|" \
-e "s|@LIBDIR@|/usr/lib64|" \
-e "s|@VERSION@|0.0.3|" \
< libbpf.pc.template > libbpf.pc
:/opt/libbpf/src# make install
if [ ! -d '/usr/include/bpf' ]; then install -d -m 755 '/usr/include/bpf'; fi; install bpf.h libbpf.h btf.h xsk.h libbpf_util.h -m 644 '/usr/include/bpf'
if [ ! -d '/usr/lib64/pkgconfig' ]; then install -d -m 755 '/usr/lib64/pkgconfig'; fi; install ./libbpf.pc -m 644 '/usr/lib64/pkgconfig'
if [ ! -d '/usr/lib64' ]; then install -d -m 755 '/usr/lib64'; fi; cp -fpR ./libbpf.a ./libbpf.so ./libbpf.so.0 ./libbpf.so.0.0.3 '/usr/lib64'
:/opt/libbpf/src# make install_headers
if [ ! -d '/usr/include/bpf' ]; then install -d -m 755 '/usr/include/bpf'; fi; install bpf.h libbpf.h btf.h xsk.h libbpf_util.h -m 644 '/usr/include/bpf'
Unfortunately after rebuild of suricata, no change in XDP error:
[13404] 10/6/2019 -- 09:24:15 - (util-ebpf.c:308) <Error> (EBPFSetupXDP) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to set XDP on 'enp175s0f1': Invalid argument (-22)
[13404] 10/6/2019 -- 09:24:15 - (runmode-af-packet.c:486) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when setting up XDP
> -----Original Message-----
> From: Peter Manev <petermanev at gmail.com>
> Sent: Monday, June 10, 2019 9:14 AM
> To: ltishend <ltishend at uw.edu>
> Cc: Eric Leblond <eric at regit.org>; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata and XDP
>
> On Mon, Jun 10, 2019 at 6:09 PM ltishend <ltishend at uw.edu> wrote:
> >
> > > Can you please share how did you compile Suricata and what is the
> > > output of "suricata --build-info" ?
> >
> > CC=clang ./configure --prefix=/usr/ --sysconfdir=/etc/
> > --localstatedir=/var/ --with-libnss-libraries=/usr/lib
> > --with-libnss-includes=/usr/include/nss/
> > --with-libnspr-libraries=/usr/lib
> > --with-libnspr-includes=/usr/include/nspr --enable-geoip
> > --enable-luajit --enable-rust --enable-ebpf --enable-ebpf-build
> >
> > This is Suricata version 5.0.0-dev (rev c1b30fe9f)
> > Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG
> > LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS
> HAVE_LUA
> > HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST SIMD support: SSE_4_2
> > SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits,
> > Little-endian architecture GCC version 4.2.1 Compatible Clang 6.0.0
> > (tags/RELEASE_600/final), C version 199901 compiled with
> > _FORTIFY_SOURCE=0
> > L1 cache line size (CLS)=64
> > thread local storage method: __thread
> > compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30
> >
> > Suricata Configuration:
> > AF_PACKET support: yes
> > eBPF support: yes
> > XDP support: yes
> > PF_RING support: no
> > NFQueue support: no
> > NFLOG support: no
> > IPFW support: no
> > Netmap support: no
> > DAG enabled: no
> > Napatech enabled: no
> > WinDivert enabled: no
> >
> > Unix socket enabled: yes
> > Detection enabled: yes
> >
> > Libmagic support: yes
> > libnss support: yes
> > libnspr support: yes
> > libjansson support: yes
> > liblzma support: yes
> > hiredis support: no
> > hiredis async with libevent: no
> > Prelude support: no
> > PCRE jit: yes
> > LUA support: yes, through luajit
> > libluajit: yes
> > libgeoip: yes
> > Non-bundled htp: no
> > Old barnyard2 support: no
> > Hyperscan support: yes
> > Libnet support: yes
> > liblz4 support: yes
> >
> > Rust support: yes
> > Rust strict mode: no
> > Rust debug mode: no
> > Rust compiler: rustc 1.30.0 (da5f414c2 2018-10-24)
> > Rust cargo: cargo 1.30.0 (36d96825d 2018-10-24)
> >
> > Python support: yes
> > Python path: /usr/bin/python3
> > Python version: Python 3.6.7
> > Python distutils yes
> > Python yaml yes
> > Install suricatactl: yes
> > Install suricatasc: yes
> > Install suricata-update: not bundled
> >
> > Profiling enabled: no
> > Profiling locks enabled: no
> >
> > Development settings:
> > Coccinelle / spatch: no
> > Unit tests enabled: no
> > Debug output enabled: no
> > Debug validation enabled: no
> >
> > Generic build parameters:
> > Installation prefix: /usr
> > Configuration directory: /etc/suricata/
> > Log directory: /var/log/suricata/
> >
> > --prefix /usr
> > --sysconfdir /etc
> > --localstatedir /var
> > --datarootdir /usr/share
> >
> > Host: x86_64-pc-linux-gnu
> > Compiler: clang (exec name) / clang (real)
> > GCC Protect enabled: no
> > GCC march native enabled: yes
> > GCC Profile enabled: no
> > Position Independent Executable enabled: no
> > CFLAGS -g -O2 -march=native -I${srcdir}/../rust/gen/c-
> headers
> > PCAP_CFLAGS -I/usr/include
> > SECCFLAGS
> >
> >
>
> Can you try installing libbpf like so -
> cd /opt && \
> git clone https://github.com/libbpf/libbpf && cd libbpf/src/ && \ make clean &&
> make && \ make install && make install_headers && \ echo "/usr/lib64" >
> /etc/ld.so.conf.d/local.conf && \ ldconfig
>
> Just to be sure you use the latest available (if you have not already done so) -
> then recompile Suricata please - any difference ?
>
> Thank you
>
> >
> > > -----Original Message-----
> > > From: Peter Manev <petermanev at gmail.com>
> > > Sent: Monday, June 10, 2019 9:07 AM
> > > To: ltishend <ltishend at uw.edu>
> > > Cc: Eric Leblond <eric at regit.org>;
> > > oisf-users at lists.openinfosecfoundation.org
> > > Subject: Re: [Oisf-users] Suricata and XDP
> > >
> > > On Mon, Jun 10, 2019 at 5:08 PM ltishend <ltishend at uw.edu> wrote:
> > > >
> > > > I don't get any message on stdout when I start suricata via the command
> line.
> > > Maybe that's part of the problem? No additional information dumps
> > > out to syslog either.
> > > >
> > >
> > > Can you please share how did you compile Suricata and what is the
> > > output of "suricata --build-info" ?
> > >
> > > Thank you
> > >
> > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Eric Leblond <eric at regit.org>
> > > > > Sent: Monday, June 10, 2019 7:59 AM
> > > > > To: ltishend <ltishend at uw.edu>; Peter Manev
> > > > > <petermanev at gmail.com>
> > > > > Cc: oisf-users at lists.openinfosecfoundation.org
> > > > > Subject: Re: [Oisf-users] Suricata and XDP
> > > > >
> > > > > Hello,
> > > > >
> > > > > We should have some message from libbpf on stdout. Can we have a
> > > > > look at
> > > it ?
> > > > >
> > > > > On Mon, 2019-06-10 at 14:26 +0000, ltishend wrote:
> > > > > > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > > > > > /var/run/suricata.pid -- af-packet -vvv and share the full output?
> > > > > >
> > > > > > [25180] 10/6/2019 -- 07:22:34 - (suricata.c:1067) <Notice>
> > > > > > (LogVersion) -- This is Suricata version 5.0.0-dev (rev
> > > > > > c1b30fe9f) running in SYSTEM mode [25180] 10/6/2019 --
> > > > > > 07:22:34 -
> > > > > > (util-cpu.c:171) <Info>
> > > > > > (UtilCpuPrintSummary) -- CPUs/cores online:
> > > > > > 40
> > > > > >
> > > > > > [25180] 10/6/2019 -- 07:22:34 - (tmqh-flow.c:63) <Notice>
> > > > > > (TmqhFlowRegister) -- using flow hash instead of active
> > > > > > packets
> > > > > >
> > > > > > [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476)
> > > > > > <Info>
> > > > > > (SCConfLogOpenGeneric) -- eve-log output device (regular)
> > > > > > initialized: eve.json
> > > > > > [25180] 10/6/2019 -- 07:22:34 - (util-logopenfile.c:476)
> > > > > > <Info>
> > > > > > (SCConfLogOpenGeneric) -- stats output device (regular) initialized:
> > > > > > stats.log
> > > > > > [25180] 10/6/2019 -- 07:22:34 - (util-conf.c:115) <Info>
> > > > > > (ConfUnixSocketIsEnable) -- Running in live mode, activating
> > > > > > unix socket [25180] 10/6/2019 -- 07:22:44 -
> > > > > > (detect-engine-loader.c:351) <Info>
> > > > > > (SigLoadSignatures) -- 2 rule files processed. 36833 rules
> > > > > > successfully loaded, 0 rules failed [25180] 10/6/2019 --
> > > > > > 07:22:44
> > > > > > - (util-threshold-config.c:1126) <Info>
> > > > > > (SCThresholdConfParseFile) -- Threshold config parsed: 0
> > > > > > rule(s) found [25180] 10/6/2019 -- 07:22:45 -
> > > > > > (detect-engine-build.c:1426) <Info>
> > > > > > (SigAddressPrepareStage1) -- 36833 signatures processed. 261
> > > > > > are
> > > > > > IP- only rules, 13916 are inspecting packet payload, 22463
> > > > > > inspect application layer, 103 are decoder event only [25180]
> > > > > > 10/6/2019 --
> > > > > > 07:23:12 - (runmode-af-packet.c:441) <Info>
> > > > > > (ParseAFPConfig) -- af-packet will use '/etc/suricata/xdp_filter.bpf'
> > > > > > as XDP filter file
> > > > > > [25180] 10/6/2019 -- 07:23:12 - (util-ebpf.c:308) <Error>
> > > > > > (EBPFSetupXDP) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] -
> > > > > > Unable to set XDP on 'enp175s0f1': Invalid argument (-22)
> > > > > > [25180] 10/6/2019
> > > > > > --
> > > > > > 07:23:12 - (runmode-af-packet.c:486) <Warning>
> > > > > > (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] -
> > > > > > Error when setting up XDP [25180] 10/6/2019 -- 07:23:12 -
> > > > > > (util-runmodes.c:297) <Info>
> > > > > > (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 13
> > > > > > thread(s) [25180] 10/6/2019 -- 07:23:13 - (util-conf.c:115)
> > > > > > <Info>
> > > > > > (ConfUnixSocketIsEnable) -- Running in live mode, activating
> > > > > > unix socket [25180] 10/6/2019 -- 07:23:13 -
> > > > > > (unix-manager.c:131) <Info>
> > > > > > (UnixNew)
> > > > > > -- Using unix socket file '/var/run/suricata/suricata-command.socket'
> > > > > > [25180] 10/6/2019 -- 07:23:13 - (tm-threads.c:2157) <Notice>
> > > > > > (TmThreadWaitOnThreadInit) -- all 13 packet processing
> > > > > > threads, 5 management threads initialized, engine started.
> > > > > > [25204] 10/6/2019 -- 07:23:19 - (source-af-packet.c:509)
> > > > > > <Info>
> > > > > > (AFPPeersListReachedInc) -- All AFP capture threads are running.
> > > > > >
> > > > > > > ethtool -x your-interface-here
> > > > > >
> > > > > > X flow hash indirection table for enp175s0f1 with 13 RX ring(s):
> > > > > > 0: 0 1 2 3 4 5 6 7
> > > > > > 8: 8 9 10 11 12 0 1 2
> > > > > > 16: 3 4 5 6 7 8 9 10
> > > > > > 24: 11 12 0 1 2 3 4 5
> > > > > > 32: 6 7 8 9 10 11 12 0
> > > > > > 40: 1 2 3 4 5 6 7 8
> > > > > > 48: 9 10 11 12 0 1 2 3
> > > > > > 56: 4 5 6 7 8 9 10 11
> > > > > > 64: 12 0 1 2 3 4 5 6
> > > > > > 72: 7 8 9 10 11 12 0 1
> > > > > > 80: 2 3 4 5 6 7 8 9
> > > > > > 88: 10 11 12 0 1 2 3 4
> > > > > > 96: 5 6 7 8 9 10 11 12
> > > > > > 104: 0 1 2 3 4 5 6 7
> > > > > > 112: 8 9 10 11 12 0 1 2
> > > > > > 120: 3 4 5 6 7 8 9 10
> > > > > > 128: 11 12 0 1 2 3 4 5
> > > > > > 136: 6 7 8 9 10 11 12 0
> > > > > > 144: 1 2 3 4 5 6 7 8
> > > > > > 152: 9 10 11 12 0 1 2 3
> > > > > > 160: 4 5 6 7 8 9 10 11
> > > > > > 168: 12 0 1 2 3 4 5 6
> > > > > > 176: 7 8 9 10 11 12 0 1
> > > > > > 184: 2 3 4 5 6 7 8 9
> > > > > > 192: 10 11 12 0 1 2 3 4
> > > > > > 200: 5 6 7 8 9 10 11 12
> > > > > > 208: 0 1 2 3 4 5 6 7
> > > > > > 216: 8 9 10 11 12 0 1 2
> > > > > > 224: 3 4 5 6 7 8 9 10
> > > > > > 232: 11 12 0 1 2 3 4 5
> > > > > > 240: 6 7 8 9 10 11 12 0
> > > > > > 248: 1 2 3 4 5 6 7 8
> > > > > > 256: 9 10 11 12 0 1 2 3
> > > > > > 264: 4 5 6 7 8 9 10 11
> > > > > > 272: 12 0 1 2 3 4 5 6
> > > > > > 280: 7 8 9 10 11 12 0 1
> > > > > > 288: 2 3 4 5 6 7 8 9
> > > > > > 296: 10 11 12 0 1 2 3 4
> > > > > > 304: 5 6 7 8 9 10 11 12
> > > > > > 312: 0 1 2 3 4 5 6 7
> > > > > > 320: 8 9 10 11 12 0 1 2
> > > > > > 328: 3 4 5 6 7 8 9 10
> > > > > > 336: 11 12 0 1 2 3 4 5
> > > > > > 344: 6 7 8 9 10 11 12 0
> > > > > > 352: 1 2 3 4 5 6 7 8
> > > > > > 360: 9 10 11 12 0 1 2 3
> > > > > > 368: 4 5 6 7 8 9 10 11
> > > > > > 376: 12 0 1 2 3 4 5 6
> > > > > > 384: 7 8 9 10 11 12 0 1
> > > > > > 392: 2 3 4 5 6 7 8 9
> > > > > > 400: 10 11 12 0 1 2 3 4
> > > > > > 408: 5 6 7 8 9 10 11 12
> > > > > > 416: 0 1 2 3 4 5 6 7
> > > > > > 424: 8 9 10 11 12 0 1 2
> > > > > > 432: 3 4 5 6 7 8 9 10
> > > > > > 440: 11 12 0 1 2 3 4 5
> > > > > > 448: 6 7 8 9 10 11 12 0
> > > > > > 456: 1 2 3 4 5 6 7 8
> > > > > > 464: 9 10 11 12 0 1 2 3
> > > > > > 472: 4 5 6 7 8 9 10 11
> > > > > > 480: 12 0 1 2 3 4 5 6
> > > > > > 488: 7 8 9 10 11 12 0 1
> > > > > > 496: 2 3 4 5 6 7 8 9
> > > > > > 504: 10 11 12 0 1 2 3 4
> > > > > > RSS hash key:
> > > > > >
> 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:
> > > > > >
> 5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:
> > > > > > 6d:5a:6d:5a:6d:5a
> > > > > > RSS hash function:
> > > > > > toeplitz: on
> > > > > > xor: off
> > > > > > crc32: off
> > > > > >
> > > > > > > ethtool -n your-interface-here
> > > > > >
> > > > > > 13 RX rings available
> > > > > > Total 0 rules
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Peter Manev <petermanev at gmail.com>
> > > > > > > Sent: Saturday, June 8, 2019 12:32 AM
> > > > > > > To: ltishend <ltishend at uw.edu>
> > > > > > > Cc: oisf-users at lists.openinfosecfoundation.org
> > > > > > > Subject: Re: [Oisf-users] Suricata and XDP
> > > > > > >
> > > > > > > On Sat, Jun 8, 2019 at 12:45 AM ltishend <ltishend at uw.edu> wrote:
> > > > > > > > > What is your start command?
> > > > > > > >
> > > > > > > > /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
> > > > > > > > /var/run/suricata.pid --af-packet
> > > > > > > >
> > > > > > >
> > > > > > > Can you please run it again with - /usr/bin/suricata -c
> > > > > > > /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
> > > > > > > -- af-packet -vvv and share the full output?
> > > > > > >
> > > > > > > Also what is the output of
> > > > > > > ethtool -x your-interface-here ethtool -n
> > > > > > > your-interface-here
> > > > > > >
> > > > > > > Thank you
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > > Peter Manev
> > > > > > _______________________________________________
> > > > > > Suricata IDS Users mailing list:
> > > > > > oisf-users at openinfosecfoundation.org
> > > > > > Site: http://suricata-ids.org | Support:
> > > > > > http://suricata-ids.org/support/
> > > > > > List:
> > > > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-
> > > > > > user
> > > > > > s
> > > > > >
> > > > > > Conference: https://suricon.net
> > > > > > Trainings: https://suricata-ids.org/training/
> > > >
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
>
>
>
> --
> Regards,
> Peter Manev
More information about the Oisf-users
mailing list