[Oisf-users] eBPF erros for Suricata 5

Jeremy A. Grove jgrove at quadrantsec.com
Fri Sep 6 17:59:20 UTC 2019 

I now have new errors and I am not finding a clear reason as to why. Any ideas?

[21214] 6/9/2019 -- 17:56:23 - (runmode-af-packet.c:471) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface eth1)
libbpf: failed to create map (name: 'cpu_map'): Operation not permitted(-1)
libbpf: failed to load object '/etc/suricata/ebpf/xdp_filter.bpf'
[21214] 6/9/2019 -- 17:56:23 - (util-ebpf.c:393) <Error> (EBPFLoadFile) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Permission issue when loading eBPF object (check libbpf error on stdout)
[21214] 6/9/2019 -- 17:56:23 - (runmode-af-packet.c:532) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file

Regards,

Jeremy Grove, SSCP 
Security Engineer 
Quadrant Information Security 
o: [ callto:(904)296-9100 | (904)296-9100 ] x100 
t: [ callto:(800) 538-9357 | (800) 538-9357 ] x100 
e: [ mailto:soc at quadrantsec.com | soc at quadrantsec.com ] 

Learn more= about our managed SIEM [ https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22 | people + product ]

----- Original Message -----
From: "Jeremy A. Grove" <jgrove at quadrantsec.com>
To: "Eric Leblond" <eric at regit.org>
Cc: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Thursday, August 29, 2019 9:40:02 AM
Subject: Re: [Oisf-users] Libbpf errors on Make for Suricata from Git

That was the fix! Thank you for the input. Maybe this should updated for the 5.0 docs? 

Regards,

Jeremy Grove, SSCP 
Security Engineer 
Quadrant Information Security 
o: [ callto:(904)296-9100 | (904)296-9100 ] x100 
t: [ callto:(800) 538-9357 | (800) 538-9357 ] x100 
e: [ mailto:soc at quadrantsec.com | soc at quadrantsec.com ] 

Learn more= about our managed SIEM [ https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22 | people + product ]

----- Original Message -----
From: "Eric Leblond" <eric at regit.org>
To: "Jeremy A. Grove" <jgrove at quadrantsec.com>, "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Wednesday, August 28, 2019 4:07:02 PM
Subject: Re: [Oisf-users] Libbpf errors on Make for Suricata from Git

Hello,

On Wed, 2019-08-28 at 12:43 -0400, Jeremy A. Grove wrote:
> Hi All!
> 
> I am venturing into the land of XDP and eBPF. 
> 
> I am following the instructions from 
> https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/capture-hardware/ebpf-xdp.html

Can you try to follow this documentation:

https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html

There is now an out of Linux tree libbpf and the documentation has been
updated to use that and features also some more information. It should
work with the beta1 of Suricata 5.0.

Best regards,

> .
> 
> I receive errors from the make command for Suricata. 
> 
> util-ebpf.c:359:13: error: implicit declaration of function
> 'bpf_program__set_ifindex' is invalid in C99 [-Werror,-Wimplicit-
> function-declaration]
>             bpf_program__set_ifindex(bpfprog, ifindex);
>             ^
> util-ebpf.c:359:13: warning: this function declaration is not a
> prototype [-Wstrict-prototypes]
> util-ebpf.c:362:13: error: implicit declaration of function
> 'bpf_map__set_ifindex' is invalid in C99 [-Werror,-Wimplicit-
> function-declaration]
>             bpf_map__set_ifindex(map, ifindex);
>             ^
> util-ebpf.c:362:13: note: did you mean 'bpf_map__set_priv'?
> /usr/local/include/bpf/libbpf.h:244:5: note: 'bpf_map__set_priv'
> declared here
> int bpf_map__set_priv(struct bpf_map *map, void *priv,
>     ^
> util-ebpf.c:362:13: warning: this function declaration is not a
> prototype [-Wstrict-prototypes]
>             bpf_map__set_ifindex(map, ifindex);            ^
> 
> I have found where someone had this error before and it was due to
> them having more than one libbpf.h. I do not believe this is the case
> for myself. 
> 
> I installed libbpf per the above instructions as well and Suricata
> sees it correctly per ldd.
> 
> deb10-image suricata # ldd /usr/bin/suricata | grep libbpf
>     libbpf.so => /usr/local/lib64/libbpf.so (0x00007f8c9b5f9000)
> 
> deb10-image suricata # ls -alh /usr/local/lib64/libbpf.so
> -rwxr-xr-x 1 root staff 108K Aug 28 16:29 /usr/local/lib64/libbpf.so
> 
> Any ideas as to why I am receiving this error?
> 
> 
> Jeremy Grove, SSCP
> Security Engineer
> Quadrant Information Security
> 
> 
> Learn more= about our managed SIEM people + product
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-- 
Eric Leblond <eric at regit.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2131 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/741f00c0/attachment.bin>

More information about the Oisf-users mailing list