Suricata

Creating ticket for the issue as promised on #suricata @ freenode.net.

Upgrading from Suricata 1.3.1 to 1.3.2 gives the following errors when running Suricata:

11/10/2012 -- 12:11:25 - <Error> - [ERRCODE: SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned -7 for cluster-id: 99
11/10/2012 -- 12:11:25 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RxPFRdna11" closed on initialization.
11/10/2012 -- 12:11:25 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

I'm running Suricata with the following parameters:

suricata -c /etc/suricata/suricata.yaml --pfring-int dna1 --pfring-cluster-id 99 --pfring-cluster-type cluster_flow

Omitting the cluster id and cluster type didn't help. Neither did changing the cluster id to another value (e.g. 0).

PF_RING info:

cat /proc/net/pf_ring/info
PF_RING Version     : 5.4.6 ($Revision: 5735$)
Ring slots          : 65536
Slot version        : 14
Capture TX          : No [RX only]
IP Defragment       : No
Socket Mode         : Standard
Transparent mode    : No (mode 2)
Total rings         : 0
Total plugins       : 0

I have also tried using PF_RING 5.4.5 with the same result.

When using Suricata 1.3.1 it works, but only when using one PF_RING thread, so the error most likely appears when the cluster id is set.

When running Suricata with PF_RING but without DNA then everyting works, so this is probably a problem limited to PF_RING DNA.

Reverting the changes made to src/source-pfring.c (back to version 1.3.1) made Suricata 1.3.2 runnable again.

Please let me know if you need more information to debug the issue.

Thanks!

Kind regards,

Mats Klepsland