Support #2692
closedPlease help found error when Start Suricata with XDP (Kernel 14.15.18, Debian 9, NIC intel X710)
Description
After executed command "/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet=enp179s0f1 -vvv", found error as below. The kernal version was trying all following version 14.13, 14.15.18, and 14.19.2 but still failed.
Reference - https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html
[9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:233) <Config> (ParseAFPConfig) -- Enabling tpacket v3 capture on iface enp179s0f1 [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:328) <Config> (ParseAFPConfig) -- Using queue based cluster mode for AF_PACKET (iface enp179s0f1) [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:401) <Config> (ParseAFPConfig) -- af-packet will use '/etc/suricata/ebpf/bypass_filter.bpf' as eBPF filter file [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:408) <Config> (ParseAFPConfig) -- Using bypass kernel functionality for AF_PACKET (iface enp179s0f1) libbpf: failed to create map (name: 'flow_table_v4'): Function not implemented libbpf: failed to load object '/etc/suricata/ebpf/bypass_filter.bpf' [9965] 21/11/2018 -- 13:27:52 - (util-ebpf.c:229) <Error> (EBPFLoadFile) -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Permission issue when loading eBPF object: Unknown error -1 (-1) [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:426) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading eBPF filter file [9965] 21/11/2018 -- 13:27:52 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- enp179s0f1: enabling zero copy mode by using data release call [9965] 21/11/2018 -- 13:27:52 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 20 thread(s) [10053] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10053] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10054] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10054] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10055] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10055] 21/11/2018 -- 13:27:52 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10058] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10058] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10063] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10063] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6' [10070] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2574) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v4' [10070] 21/11/2018 -- 13:27:53 - (source-af-packet.c:2578) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6'
Files
Updated by prasert sook over 6 years ago
Suspect about Permission issue when loading eBPF object, no idea how to carry on investigate about this issue. Please help shed a light here, Thanks a lot.
Updated by Victor Julien over 6 years ago
- Description updated (diff)
- Assignee set to Eric Leblond
- Target version deleted (
4.1) - Difficulty deleted (
high) - Affected Versions 4.1 added
I assume these 14.x kernel versions should be 4.x?
Updated by prasert sook over 6 years ago
Victor Julien wrote:
I assume these 14.x kernel versions should be 4.x?
Oh Sorry - u right. they're all 4.x. :)
Updated by prasert sook over 6 years ago
- File suricata2.log suricata2.log added
prasert sook wrote:
Victor Julien wrote:
I assume these 14.x kernel versions should be 4.x?
Oh Sorry - u right. they're all 4.x. :)
Seem i'd fixed it. Please check attached file. Please see log result refer to attached file.
Add enable these features kernel compiled with the following flags set in /boot/config-<kernel-version>
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
And one more question here, any idea about these warning? Thanks a lot :)
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSis.vnc.setup' is checked but not set. Checked in 2002914 and 3 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSvnc.null.auth.sent' is checked but not set. Checked in 2002917 and 0 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSvnc.auth.agreed' is checked but not set. Checked in 2002921 and 0 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB.1' is checked but not set. Checked in 2018282 and 0 other sigs
Updated by Victor Julien over 6 years ago
- Tracker changed from Bug to Support
- Status changed from New to Closed
- Assignee deleted (
Eric Leblond) - Effort deleted (
high)
Please open a new ticket for a new subject.