Project

General

Profile

Actions

Support #2721

closed

ERRCODE: SC_ERR_AFP_CREATE(190) - Filter compilation failed.

Added by Duane Webber over 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

I receive the following error when running Suricata. The command to run is: 'suricata -i ${INTERFACE} -v -F /etc/suricata/capture-filter.bpf' where INTERFACE is in the logs below.

suricata    | 2/12/2018 -- 02:57:52 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple devices to get packets is experimental.
suricata    | 2/12/2018 -- 02:57:52 - <Info> - Multiple af-packet option without interface on each is useless
suricata    | 2/12/2018 -- 02:57:52 - <Notice> - This is Suricata version 4.0.1 RELEASE
suricata    | 2/12/2018 -- 02:57:52 - <Info> - CPUs/cores online: 24
suricata    | 2/12/2018 -- 02:57:52 - <Info> - Found an MTU of 1500 for 'enp7s0f0'
suricata    | 2/12/2018 -- 02:57:52 - <Info> - Found an MTU of 1500 for 'enp7s0f0'
suricata    | 2/12/2018 -- 02:58:02 - <Info> - 53 rule files processed. 22907 rules successfully loaded, 0 rules failed
suricata    | 2/12/2018 -- 02:58:02 - <Info> - Threshold config parsed: 0 rule(s) found
suricata    | 2/12/2018 -- 02:58:03 - <Info> - 22924 signatures processed. 1197 are IP-only rules, 8572 are inspecting packet payload, 15856 inspect application layer, 105 are decoder event only
suricata    | 2/12/2018 -- 02:58:06 - <Info> - dropped the caps for main thread
suricata    | 2/12/2018 -- 02:58:06 - <Info> - eve-log output device (regular) initialized: eve.json
suricata    | 2/12/2018 -- 02:58:06 - <Info> - Going to log the md5 sum of email body
suricata    | 2/12/2018 -- 02:58:06 - <Info> - Going to log the md5 sum of email subject
suricata    | 2/12/2018 -- 02:58:06 - <Info> - Going to use 24 thread(s)
suricata    | 2/12/2018 -- 02:58:06 - <Notice> - all 24 packet processing threads, 2 management threads initialized, engine started.
suricata    | 2/12/2018 -- 02:58:06 - <Info> - Using BPF 'not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and not (host index.docker.io or docker.io)' on iface 'enp7s0f0'
suricata    | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
suricata    | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and not (host index.docker.io or docker.io)" failed.
suricata    | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
suricata    | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-enp7s0f0 failed

The following is the af-packet section of /etc/suricata/suricata.yaml
# Linux high speed capture support
af-packet:
  - interface: enp7s0f1
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 99
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_round_robin: round robin load balancing
    #  * cluster_flow: all packets of a given flow are send to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
    #  socket. Requires at least Linux 3.14.
    #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
    #  Requires at least Linux 3.14.
    #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
    #  to the next. Requires at least Linux 3.10.
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
    # with capture card using RSS (require cpu affinity tuning and system irq tuning)
    cluster-type: cluster_flow
    # In some fragmentation case, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes
    # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
    # full then kernel will send the packet on the next socket with room available. This option
    # can minimize packet drop and increase the treated bandwidth on single intensive flow.
    #rollover: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    #use-mmap: yes
    # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
    # your system
    #mmap-locked: yes
    # Use experimental tpacket_v3 capture mode, only active if use-mmap is true
    #tpacket-v3: yes
    # Ring size will be computed with respect to max_pending_packets and number
    # of threads. You can set manually the ring size in number of packets by setting
    # the following value. If you are using flow cluster-type and have really network
    # intensive single-flow you could want to set the ring-size independently of the number
    # of threads:
    #ring-size: 2048
    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
    # a power of 2 and it must be multiple of page size (usually 4096).
    #block-size: 32768
    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
    # filled after block-timeout milliseconds.
    #block-timeout: 10
    # On busy system, this could help to set it to yes to recover from a packet drop
    # phase. This will result in some packets (at max a ring flush) being non treated.
    #use-emergency-flush: yes
    # recv buffer size, increase value could improve performance
    # buffer-size: 32768
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - kernel: use indication sent by kernel for each packet (default)
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used.
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: kernel
    # BPF filter to apply to this interface. The pcap filter syntax apply here.
    #bpf-filter: port 80 or udp
    # You can use the following variables to activate AF_PACKET tap or IPS mode.
    # If copy-mode is set to ips or tap, the traffic coming to the current
    # interface will be copied to the copy-iface interface. If 'tap' is set, the
    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
    # will not be copied.
    #copy-mode: ips
    #copy-iface: eth1

  # Put default values here. These will be used for an interface that is not
  # in the list above.
  - interface: default
    #threads: auto
    #use-mmap: no
    #rollover: yes
    #tpacket-v3: yes
Actions #1

Updated by Victor Julien over 5 years ago

  • Tracker changed from Bug to Support
  • Description updated (diff)

BPF can't match domain names like this: "Set AF_PACKET bpf filter "not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and not (host index.docker.io or docker.io)" failed." Host should be followed by an ip address, not a domain name.

You could use bypass or other methods to suppress traffic and/or alerts for those hosts. See https://suricata.readthedocs.io/en/suricata-4.1.0/performance/ignoring-traffic.html

Btw, Suricata 4.0.1 is outdated. Update to 4.0.6 or ideally 4.1.

Actions #2

Updated by Eric Leblond over 5 years ago

Libpcap is resolving the host names at BPF compilation time so it should work. I've got it working on 4.1 and this part of code did not change. Are you sure that suricata can do name resolution ?

Actions #3

Updated by Victor Julien over 5 years ago

Interesting, didn't know that. So this could perhaps be name resolution failure? And what happens if a name returns more than one ip?

Actions #4

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Eric Leblond
  • Target version set to TBD
Actions #5

Updated by Andreas Herz almost 5 years ago

  • Target version changed from TBD to Support
Actions #6

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Closed
  • Assignee deleted (Eric Leblond)
  • Target version deleted (Support)
Actions

Also available in: Atom PDF