Suricata

Fix should be implemented by https://github.com/regit/suricata/commit/ed22ba202beec77cb5416702caa0cb21d77767d7. Can you feedback on this ?

With the provided fix there is no misleading message but no hit at what could be the reason either:

/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet  -v
[12182] 29/11/2016 -- 10:34:16 - (suricata.c:1005) <Notice> (SCPrintVersion) -- This is Suricata version 3.2dev (rev ed22ba2)
[12182] 29/11/2016 -- 10:34:16 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[12182] 29/11/2016 -- 10:34:16 - (app-layer-dnp3.c:1603) <Warning> (RegisterDNP3Parsers) -- [ERRCODE: SC_ERR_DNP3_CONFIG(290)] - No DNP3 configuration found, enabling DNP3 detection on port 20000
[12182] 29/11/2016 -- 10:34:16 - (app-layer-dnp3.c:1618) <Info> (RegisterDNP3Parsers) -- Registering DNP3/tcp parsers.
[12182] 29/11/2016 -- 10:34:16 - (util-ioctl.c:105) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'wlan0'
[12182] 29/11/2016 -- 10:34:16 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[12182] 29/11/2016 -- 10:34:19 - (detect.c:507) <Info> (SigLoadSignatures) -- 39 rule files processed. 12689 rules successfully loaded, 0 rules failed
[12182] 29/11/2016 -- 10:34:19 - (detect.c:3502) <Info> (SigAddressPrepareStage1) -- 12697 signatures processed. 1180 are IP-only rules, 5135 are inspecting packet payload, 8004 inspect application layer, 0 are decoder event only
[12182] 29/11/2016 -- 10:34:20 - (util-threshold-config.c:1188) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[12182] 29/11/2016 -- 10:34:20 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[12182] 29/11/2016 -- 10:34:20 - (util-runmodes.c:285) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[12182] 29/11/2016 -- 10:34:20 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[12182] 29/11/2016 -- 10:34:20 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
[12183] 29/11/2016 -- 10:34:20 - (source-af-packet.c:476) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.

It is definitely better than before in my view - but it seems the msg - https://github.com/regit/suricata/commit/ed22ba202beec77cb5416702caa0cb21d77767d7#diff-e77389f2d8111b800388ad83c1ca6b73R404 does not kick in ?

Is this still an issue?

The message is the same as before but it is better than the original reported here.Tested on Buster/Bullseye with latest master.

Peter can you paste the output of your latest test?

Please copy paste the output in the future Peter.

So it says 'fanout not supported by kernel: Invalid argument'. This doesn't sound useful at all. I would suggest expanding it to something like:

'fanout not supported by kernel: Invalid argument. Kernel too old or cluster-id XX already in use'

Yes - sorry about that -

[4338] 31/5/2019 -- 11:12:16 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data": 5
[4338] 31/5/2019 -- 11:12:21 - (source-af-packet.c:2002) <Perf> (AFPIsFanoutSupported) -- fanout not supported by kernel: Invalid argument
[4338] 31/5/2019 -- 11:12:21 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- eno1: enabling zero copy mode by using data release call
[4338] 31/5/2019 -- 11:12:21 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[4338] 31/5/2019 -- 11:12:21 - (flow-manager.c:815) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads
[4338] 31/5/2019 -- 11:12:21 - (flow-manager.c:976) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
[4338] 31/5/2019 -- 11:12:21 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[4338] 31/5/2019 -- 11:12:21 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/opt/suritest/var/run/suricata/suricata-command.socket'
[4338] 31/5/2019 -- 11:12:21 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
[4340] 31/5/2019 -- 11:12:21 - (source-af-packet.c:1752) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1584 frame_nr=2060
[4340] 31/5/2019 -- 11:12:21 - (source-af-packet.c:509) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.

It is better than prior to the fix but maybe could also use/add "ERRCODE/Warning" stanza msg as currently it does not really jump out.

The relevant message from the above is

[4338] 31/5/2019 -- 11:12:21 - (source-af-packet.c:2002) <Perf> (AFPIsFanoutSupported) -- fanout not supported by kernel: Invalid argument