Support #2721
Updated by Victor Julien over 5 years ago
I receive the following error when running Suricata. The command to run is: 'suricata -i ${INTERFACE} -v -F /etc/suricata/capture-filter.bpf' where INTERFACE is in the logs below. <pre> suricata | 2/12/2018 -- 02:57:52 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple devices to get packets is experimental. suricata | 2/12/2018 -- 02:57:52 - <Info> - Multiple af-packet option without interface on each is useless suricata | 2/12/2018 -- 02:57:52 - <Notice> - This is Suricata version 4.0.1 RELEASE suricata | 2/12/2018 -- 02:57:52 - <Info> - CPUs/cores online: 24 suricata | 2/12/2018 -- 02:57:52 - <Info> - Found an MTU of 1500 for 'enp7s0f0' suricata | 2/12/2018 -- 02:57:52 - <Info> - Found an MTU of 1500 for 'enp7s0f0' suricata | 2/12/2018 -- 02:58:02 - <Info> - 53 rule files processed. 22907 rules successfully loaded, 0 rules failed suricata | 2/12/2018 -- 02:58:02 - <Info> - Threshold config parsed: 0 rule(s) found suricata | 2/12/2018 -- 02:58:03 - <Info> - 22924 signatures processed. 1197 are IP-only rules, 8572 are inspecting packet payload, 15856 inspect application layer, 105 are decoder event only suricata | 2/12/2018 -- 02:58:06 - <Info> - dropped the caps for main thread suricata | 2/12/2018 -- 02:58:06 - <Info> - eve-log output device (regular) initialized: eve.json suricata | 2/12/2018 -- 02:58:06 - <Info> - Going to log the md5 sum of email body suricata | 2/12/2018 -- 02:58:06 - <Info> - Going to log the md5 sum of email subject suricata | 2/12/2018 -- 02:58:06 - <Info> - Going to use 24 thread(s) suricata | 2/12/2018 -- 02:58:06 - <Notice> - all 24 packet processing threads, 2 management threads initialized, engine started. suricata | 2/12/2018 -- 02:58:06 - <Info> - Using BPF 'not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and not (host index.docker.io or docker.io)' on iface 'enp7s0f0' suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and not (host index.docker.io or docker.io)" failed. suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error suricata | 2/12/2018 -- 02:58:11 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-enp7s0f0 failed </pre> The following is the af-packet section of /etc/suricata/suricata.yaml <pre> # Linux high speed capture support af-packet: - interface: enp7s0f1 # Number of receive threads. "auto" uses the number of cores #threads: auto # Default clusterid. AF_PACKET will load balance packets based on flow. cluster-id: 99 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. # This is only supported for Linux kernel > 3.1 # possible value are: # * cluster_round_robin: round robin load balancing # * cluster_flow: all packets of a given flow are send to the same socket # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same # socket. Requires at least Linux 3.14. # * cluster_random: packets are sent randomly to sockets but with an equipartition. # Requires at least Linux 3.14. # * cluster_rollover: kernel rotates between sockets filling each socket before moving # to the next. Requires at least Linux 3.10. # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system # with capture card using RSS (require cpu affinity tuning and system irq tuning) cluster-type: cluster_flow # In some fragmentation case, the hash can not be computed. If "defrag" is set # to yes, the kernel will do the needed defragmentation before sending the packets. defrag: yes # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is # full then kernel will send the packet on the next socket with room available. This option # can minimize packet drop and increase the treated bandwidth on single intensive flow. #rollover: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes #use-mmap: yes # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock # your system #mmap-locked: yes # Use experimental tpacket_v3 capture mode, only active if use-mmap is true #tpacket-v3: yes # Ring size will be computed with respect to max_pending_packets and number # of threads. You can set manually the ring size in number of packets by setting # the following value. If you are using flow cluster-type and have really network # intensive single-flow you could want to set the ring-size independently of the number # of threads: #ring-size: 2048 # Block size is used by tpacket_v3 only. It should set to a value high enough to contain # a decent number of packets. Size is in bytes so please consider your MTU. It should be # a power of 2 and it must be multiple of page size (usually 4096). #block-size: 32768 # tpacket_v3 block timeout: an open block is passed to userspace if it is not # filled after block-timeout milliseconds. #block-timeout: 10 # On busy system, this could help to set it to yes to recover from a packet drop # phase. This will result in some packets (at max a ring flush) being non treated. #use-emergency-flush: yes # recv buffer size, increase value could improve performance # buffer-size: 32768 # Set to yes to disable promiscuous mode # disable-promisc: no # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - kernel: use indication sent by kernel for each packet (default) # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: kernel # BPF filter to apply to this interface. The pcap filter syntax apply here. #bpf-filter: port 80 or udp # You can use the following variables to activate AF_PACKET tap or IPS mode. # If copy-mode is set to ips or tap, the traffic coming to the current # interface will be copied to the copy-iface interface. If 'tap' is set, the # copy is complete. If 'ips' is set, the packet matching a 'drop' action # will not be copied. #copy-mode: ips #copy-iface: eth1 # Put default values here. These will be used for an interface that is not # in the list above. - interface: default #threads: auto #use-mmap: no #rollover: yes #tpacket-v3: yes </pre>