Suricata

The original report from the mailing list being (https://lists.openinfosecfoundation.org/pipermail/oisf-users/2016-December/006615.html) :
(kernel 3.10)

AFpacket Config:

  - interface: eth2

    threads: 1

    cluster-id: 98

    cluster-type: cluster_flow

    defrag: yes

    use-mmap: yes

    ring-size: 300000

  - interface: eth3

    threads: 1

    cluster-id: 97

    cluster-type: cluster_flow

    defrag: yes

    use-mmap: yes

    ring-size: 300000

Start errors:

14/12/2016 -- 17:12:42 - <Notice> - This is Suricata version 3.2 RELEASE

14/12/2016 -- 17:12:42 - <Info> - CPUs/cores online: 32

14/12/2016 -- 17:12:42 - <Info> - Use pid file /var/run/suricata.pid from config file.

14/12/2016 -- 17:12:45 - <Info> - 37 rule files processed. 11788 rules successfully loaded, 0 rules failed

14/12/2016 -- 17:12:45 - <Info> - 11789 signatures processed. 1314 are IP-only rules, 4425 are inspecting packet payload, 7558 inspect application layer, 0 are decoder event only

14/12/2016 -- 17:12:53 - <Info> - Threshold config parsed: 0 rule(s) found

14/12/2016 -- 17:12:53 - <Info> - fast output device (regular) initialized: fast.log

14/12/2016 -- 17:12:53 - <Info> - eve-log output device (regular) initialized: eve.json

14/12/2016 -- 17:12:53 - <Info> - stats output device (regular) initialized: stats.log

14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)

14/12/2016 -- 17:12:53 - <Info> - Going to use 1 thread(s)

14/12/2016 -- 17:12:55 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size

14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect. Please correct the devel

14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error

14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size

14/12/2016 -- 17:12:55 - <Info> - Ring parameter are incorrect. Please correct the devel

14/12/2016 -- 17:12:55 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error

14/12/2016 -- 17:12:55 - <Notice> - Signal Received.  Stopping engine.

14/12/2016 -- 17:12:55 - <Info> - time elapsed 2.440s

14/12/2016 -- 17:12:56 - <Info> - cleaning up signature grouping structure... complete

14/12/2016 -- 17:12:56 - <Notice> - Stats for 'eth2':  pkts: 0, drop: 0 (-nan%), invalid chksum: 0

14/12/2016 -- 17:12:56 - <Notice> - Stats for 'eth3':  pkts: 0, drop: 0 (-nan%), invalid chksum: 0

However from the config file attached we have

af-packet:
  - interface: eth0
    threads: 16
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    tpacket-v3: yes
    use-mmap: yes
    ring-size: 400000
    #block-size: 524288
    buffer-size: 104857600
  - interface: wlan0
    threads: 16
    cluster-id: 97
    cluster-type: cluster_flow
    defrag: yes
    tpacket-v3: yes
    use-mmap: yes
    ring-size: 400000
    #block-size: 524288
    buffer-size: 104857600

I tried ruining your config - i could not reproduce the report - but i tested with kernel Debian 3.16.36-1+deb8u2.

I am not sure how easy it is to switch between the original 3.10 and the 4.8 kernels but can you try the same config with commenting out "buffer-size:" and uncommenting the "block-size:" on the 3.10 kernel (as it was originally reported).

Hello Peter,

Sadly cannot go back, because we've updated the whole server and headers and tools recompiling suricata again, and cannot get a new maintenance window to try this till next year.

By the way, i've tried the old config on the actual kernel and works OK, no messages from tpacket_v3 but using version 2 by defualt I suppose.

What are the requiremoents to use tpacket-v3: yes ?

Regards,

Just so i don't misunderstand -
Which kernel is the actual kernel that you are referring to ? (4.8?)
Which one is the old config ? (can you upload it as well please)

Sorry for the mess Peter:

My actual kernel is 4.8

Old config is the one that I 've reported with the 3.10 kernel

- interface: eth2
    threads: 1
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    ring-size: 300000

- interface: eth3
    threads: 1
    cluster-id: 97
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    ring-size: 300000

All the other configurations where the same as the file uploaded here, the only modifications done (once updated the kernel and recompiled suricata) are more options suggested by users on the list and also more threads like this:

  - interface: eth2
    threads: 16
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    tpacket-v3: yes
    use-mmap: yes
    ring-size: 400000
    #block-size: 524288
    buffer-size: 104857600
  - interface: eth3
    threads: 16
    cluster-id: 97
    cluster-type: cluster_flow
    defrag: yes
    tpacket-v3: yes
    use-mmap: yes
    ring-size: 400000
    #block-size: 524288
    buffer-size: 104857600

Regards,

With regards to kernel 4.8:

It seems somewhere else is the issue. I can run 3.2 dev with AFPv3 on kernel 4.8.15 - no issues:

root@test:~# uname -a
Linux SELKS 4.8.15-stamus-amd64 #1 SMP Fri Dec 23 10:16:47 CET 2016 x86_64 GNU/Linux

root@test:~# /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -vv 
[4098] 23/12/2016 -- 10:35:05 - (suricata.c:1007) <Notice> (SCPrintVersion) -- This is Suricata version 3.2dev (rev 94bc7e5)
[4098] 23/12/2016 -- 10:35:05 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2
[4098] 23/12/2016 -- 10:35:05 - (util-ioctl.c:105) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'eth0'
...
...
[4098] 23/12/2016 -- 10:35:17 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[4098] 23/12/2016 -- 10:35:17 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[4098] 23/12/2016 -- 10:35:17 - (output-json-email-common.c:455) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[4098] 23/12/2016 -- 10:35:17 - (output-json-email-common.c:459) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[4098] 23/12/2016 -- 10:35:17 - (output-json-dnp3.c:383) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[4098] 23/12/2016 -- 10:35:17 - (output-json-dnp3.c:383) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[4098] 23/12/2016 -- 10:35:17 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[4098] 23/12/2016 -- 10:35:17 - (runmode-af-packet.c:415) <Perf> (ParseAFPConfig) -- 2 cores, so using 2 threads
[4098] 23/12/2016 -- 10:35:17 - (runmode-af-packet.c:428) <Perf> (ParseAFPConfig) -- Using 2 AF_PACKET threads for interface eth0
[4098] 23/12/2016 -- 10:35:17 - (util-runmodes.c:285) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 2 thread(s)
[4098] 23/12/2016 -- 10:35:17 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[4138] 23/12/2016 -- 10:35:17 - (unix-manager.c:124) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[4098] 23/12/2016 -- 10:35:17 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management threads initialized, engine started.
[4136] 23/12/2016 -- 10:35:17 - (source-af-packet.c:1629) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=52 frame_size=1616 frame_nr=1040 (mem: 1703936)
[4137] 23/12/2016 -- 10:35:17 - (source-af-packet.c:1629) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=52 frame_size=1616 frame_nr=1040 (mem: 1703936)
[4137] 23/12/2016 -- 10:35:17 - (source-af-packet.c:476) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.

I used the default config and just enabled AFPv3
Could you try the same - use a default config and just enable AFPv3?

Hello Peter,

Thanks for following up this thread!

Tried default config but still the same.

27/12/2016 -- 09:33:35 - <Info> - CPUs/cores online: 32
27/12/2016 -- 09:33:35 - <Info> - Use pid file /var/run/suricata.pid from config file.
27/12/2016 -- 09:33:38 - <Info> - 37 rule files processed. 11875 rules successfully loaded, 0 rules failed
27/12/2016 -- 09:33:38 - <Info> - 11876 signatures processed. 1367 are IP-only rules, 4451 are inspecting packet payload, 7569 inspect application layer, 0 are decoder event only
27/12/2016 -- 09:33:40 - <Info> - Threshold config parsed: 0 rule(s) found
27/12/2016 -- 09:33:40 - <Info> - fast output device (regular) initialized: fast.log
27/12/2016 -- 09:33:40 - <Info> - eve-log output device (regular) initialized: eve.json
27/12/2016 -- 09:33:40 - <Info> - stats output device (regular) initialized: stats.log
27/12/2016 -- 09:33:40 - <Notice> - System too old for tpacket v3 switching to v2
27/12/2016 -- 09:33:40 - <Info> - Going to use 16 thread(s)
27/12/2016 -- 09:33:44 - <Notice> - System too old for tpacket v3 switching to v2
27/12/2016 -- 09:33:44 - <Info> - Going to use 16 thread(s)
27/12/2016 -- 09:33:47 - <Notice> - all 32 packet processing threads, 4 management threads initialized, engine started.
27/12/2016 -- 09:33:48 - <Info> - All AFP capture threads are running.

But after digging more depply, I believe we've found the problem.

Could it be possible that having kernel 4.8 installed, but headers of the original older kernel, that compiling suricata uses those headers and do the "old" system version to suricata??

[root@xxxxxx ~]# rpm -qa | grep kernel
kernel-ml-devel-4.8.13-1.el6.elrepo.x86_64
kernel-2.6.32-431.20.3.el6.x86_64
kernel-ml-4.8.13-1.el6.elrepo.x86_64
kernel-2.6.32-431.20.5.el6.x86_64
kernel-devel-2.6.32-431.20.5.el6.x86_64
kernel-headers-2.6.32-431.20.5.el6.x86_64
kernel-firmware-2.6.32-431.20.5.el6.noarch

Tried the same on a VM with kernel + headers on 4.8 and works perfects, so I believe thats my issue and not a suri bug.

Regards!