[Oisf-users] eBPF erros for Suricata 5

Peter Manev petermanev at gmail.com
Mon Nov 11 09:22:10 UTC 2019 

On Fri, Sep 6, 2019 at 7:59 PM Jeremy A. Grove <jgrove at quadrantsec.com> wrote:
>
> I now have new errors and I am not finding a clear reason as to why. Any ideas?
>
> [21214] 6/9/2019 -- 17:56:23 - (runmode-af-packet.c:471) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface eth1)
> libbpf: failed to create map (name: 'cpu_map'): Operation not permitted(-1)
> libbpf: failed to load object '/etc/suricata/ebpf/xdp_filter.bpf'
> [21214] 6/9/2019 -- 17:56:23 - (util-ebpf.c:393) <Error> (EBPFLoadFile) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Permission issue when loading eBPF object (check libbpf error on stdout)
> [21214] 6/9/2019 -- 17:56:23 - (runmode-af-packet.c:532) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file
>

Do you still have that issue with 5.0 ?
What kind of NIC/driver is it?

> Regards,
>
> Jeremy Grove, SSCP
> Security Engineer
> Quadrant Information Security
> o: [ callto:(904)296-9100 | (904)296-9100 ] x100
> t: [ callto:(800) 538-9357 | (800) 538-9357 ] x100
> e: [ mailto:soc at quadrantsec.com | soc at quadrantsec.com ]
>
> Learn more= about our managed SIEM [ https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22 | people + product ]
>
> ----- Original Message -----
> From: "Jeremy A. Grove" <jgrove at quadrantsec.com>
> To: "Eric Leblond" <eric at regit.org>
> Cc: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
> Sent: Thursday, August 29, 2019 9:40:02 AM
> Subject: Re: [Oisf-users] Libbpf errors on Make for Suricata from Git
>
> That was the fix! Thank you for the input. Maybe this should updated for the 5.0 docs?
>
> Regards,
>
> Jeremy Grove, SSCP
> Security Engineer
> Quadrant Information Security
> o: [ callto:(904)296-9100 | (904)296-9100 ] x100
> t: [ callto:(800) 538-9357 | (800) 538-9357 ] x100
> e: [ mailto:soc at quadrantsec.com | soc at quadrantsec.com ]
>
> Learn more= about our managed SIEM [ https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22 | people + product ]
>
> ----- Original Message -----
> From: "Eric Leblond" <eric at regit.org>
> To: "Jeremy A. Grove" <jgrove at quadrantsec.com>, "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
> Sent: Wednesday, August 28, 2019 4:07:02 PM
> Subject: Re: [Oisf-users] Libbpf errors on Make for Suricata from Git
>
> Hello,
>
> On Wed, 2019-08-28 at 12:43 -0400, Jeremy A. Grove wrote:
> > Hi All!
> >
> > I am venturing into the land of XDP and eBPF.
> >
> > I am following the instructions from
> > https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/capture-hardware/ebpf-xdp.html
>
> Can you try to follow this documentation:
>
> https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html
>
> There is now an out of Linux tree libbpf and the documentation has been
> updated to use that and features also some more information. It should
> work with the beta1 of Suricata 5.0.
>
> Best regards,
>
> > .
> >
> > I receive errors from the make command for Suricata.
> >
> > util-ebpf.c:359:13: error: implicit declaration of function
> > 'bpf_program__set_ifindex' is invalid in C99 [-Werror,-Wimplicit-
> > function-declaration]
> >             bpf_program__set_ifindex(bpfprog, ifindex);
> >             ^
> > util-ebpf.c:359:13: warning: this function declaration is not a
> > prototype [-Wstrict-prototypes]
> > util-ebpf.c:362:13: error: implicit declaration of function
> > 'bpf_map__set_ifindex' is invalid in C99 [-Werror,-Wimplicit-
> > function-declaration]
> >             bpf_map__set_ifindex(map, ifindex);
> >             ^
> > util-ebpf.c:362:13: note: did you mean 'bpf_map__set_priv'?
> > /usr/local/include/bpf/libbpf.h:244:5: note: 'bpf_map__set_priv'
> > declared here
> > int bpf_map__set_priv(struct bpf_map *map, void *priv,
> >     ^
> > util-ebpf.c:362:13: warning: this function declaration is not a
> > prototype [-Wstrict-prototypes]
> >             bpf_map__set_ifindex(map, ifindex);            ^
> >
> > I have found where someone had this error before and it was due to
> > them having more than one libbpf.h. I do not believe this is the case
> > for myself.
> >
> > I installed libbpf per the above instructions as well and Suricata
> > sees it correctly per ldd.
> >
> > deb10-image suricata # ldd /usr/bin/suricata | grep libbpf
> >     libbpf.so => /usr/local/lib64/libbpf.so (0x00007f8c9b5f9000)
> >
> > deb10-image suricata # ls -alh /usr/local/lib64/libbpf.so
> > -rwxr-xr-x 1 root staff 108K Aug 28 16:29 /usr/local/lib64/libbpf.so
> >
> > Any ideas as to why I am receiving this error?
> >
> >
> > Jeremy Grove, SSCP
> > Security Engineer
> > Quadrant Information Security
> >
> >
> > Learn more= about our managed SIEM people + product
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> --
> Eric Leblond <eric at regit.org>_______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list