Suricata breaks with more cores
694 views
Skip to first unread message
Brandon
Aug 24, 2016, 7:34:59 AM8/24/16
to SELKS
I'm running SELKS via VirtualBox and I've found Suricata breaks if I run more than one CPU in the virtual machine. I can adjust network adapters, memory, etc without issue. It's only the CPU core count causing issue. Everything else still works as planned. Has anyone encountered a similar issue?
Peter Manev
Aug 24, 2016, 8:48:35 AM8/24/16
to Brandon, SELKS
I have VMs with 1-8 cores and have not had that issue -but before
that - how do you mean breaks?
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
Brandon
Aug 24, 2016, 8:54:24 AM8/24/16
to SELKS
Goes in the red on the Scirius dashboard and I get no alerts from test traffic. Although it seems to work fine with multiple cores on VMware.
Peter Manev
Aug 24, 2016, 9:10:52 AM8/24/16
to Brandon, SELKS
On Wed, Aug 24, 2016 at 1:54 PM, Brandon <bok...@wgu.edu> wrote:
> Goes in the red on the Scirius dashboard and I get no alerts from test traffic. Although it seems to work fine with multiple cores on
I think something else might be at work maybe - since i just tried it
> Goes in the red on the Scirius dashboard and I get no alerts from test traffic. Although it seems to work fine with multiple cores on
on 1/2/4 cores and had no issues.
When it is red - what is the output of
systemctl status suricata
?
> VMware.
Brandon
Aug 24, 2016, 9:23:05 AM8/24/16
to SELKS, bok...@wgu.edu
I've tried tweaking every other VBox setting, but for some reason it's just the CPU count that has any effect. Anywho, here's the systemctl printout:
Active: active (exited) since Wed 2016 08 24 09:18:42 EDT; 1min 28s ago
Process: 589 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
Peter Manev
Aug 24, 2016, 9:31:37 AM8/24/16
to Brandon, SELKS
On Wed, Aug 24, 2016 at 2:23 PM, Brandon <bok...@wgu.edu> wrote:
> I've tried tweaking every other VBox setting, but for some reason it's just
> the CPU count that has any effect. Anywho, here's the systemctl printout:
>
> Loaded (/etc/init.d/suricata)
> Active: active (exited) since Wed 2016 08 24 09:18:42 EDT; 1min 28s ago
> Process: 589 ExecStart=/etc/init.d/suricata start (code=exited,
> status=0/SUCCESS)
>
Ok.
> I've tried tweaking every other VBox setting, but for some reason it's just
> the CPU count that has any effect. Anywho, here's the systemctl printout:
>
> Loaded (/etc/init.d/suricata)
> Active: active (exited) since Wed 2016 08 24 09:18:42 EDT; 1min 28s ago
> Process: 589 ExecStart=/etc/init.d/suricata start (code=exited,
> status=0/SUCCESS)
>
Can you try starting Suricata manually like so:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
/var/run/suricata.pid --af-packet -vvv --user=logstash
and see if any err is present ?
Brandon
Aug 24, 2016, 5:22:30 PM8/24/16
to SELKS, bok...@wgu.edu
Suricata starts up fine with the commands you recommended. But it's off again upon reboot.
Peter Manev
Aug 25, 2016, 3:37:48 AM8/25/16
to Brandon, SELKS
On Wed, Aug 24, 2016 at 10:22 PM, Brandon <bok...@wgu.edu> wrote:
> Suricata starts up fine with the commands you recommended. But it's off
> again upon reboot.
When that happens - you should have some more info in -
> Suricata starts up fine with the commands you recommended. But it's off
> again upon reboot.
/var/log/suricata/suricata.log or the start log in there as well.
Brandon
Aug 25, 2016, 4:15:22 AM8/25/16
to SELKS, bok...@wgu.edu
This is the log from a fresh install w/ 3 CPU cores:
[883] 25/8/2016 -- 04:12:16 - (suricata.c:1086) <Notice> (SCPrintVersion) -- This is Suricata version 3.1dev (rev ec60208)
[883] 25/8/2016 -- 04:12:16 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 3
[883] 25/8/2016 -- 04:12:16 - (app-layer-htp-mem.c:59) <Info> (HTPParseMemcap) -- HTTP memcap: 268435456
[883] 25/8/2016 -- 04:12:16 - (util-ioctl.c:103) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'eth0'
[886] 25/8/2016 -- 04:12:20 - (detect.c:495) <Info> (SigLoadSignatures) -- 1 rule files processed. 20352 rules successfully loaded, 0 rules failed
[886] 25/8/2016 -- 04:12:20 - (detect.c:3611) <Info> (SigAddressPrepareStage1) -- 20360 signatures processed. 1178 are IP-only rules, 6031 are inspecting packet payload, 15412 inspect application layer, 76 are decoder event only
[886] 25/8/2016 -- 04:12:22 - (util-threshold-config.c:1188) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[886] 25/8/2016 -- 04:12:22 - (util-privs.c:103) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[886] 25/8/2016 -- 04:12:22 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[886] 25/8/2016 -- 04:12:22 - (output-json-email-common.c:455) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[886] 25/8/2016 -- 04:12:22 - (output-json-email-common.c:459) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[886] 25/8/2016 -- 04:12:22 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[886] 25/8/2016 -- 04:12:22 - (util-ioctl.c:341) <Warning> (GetIfaceOffloadingLinux) -- [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on eth0: SG: SET, GRO: SET, LRO: unset, TSO: SET, GSO: SET. Run: ethtool -K eth0 sg off gro $
[886] 25/8/2016 -- 04:12:22 - (runmode-af-packet.c:458) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using AF_PACKET with offloading activated leads to capture problems
[886] 25/8/2016 -- 04:12:22 - (util-runmodes.c:288) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 3 thread(s)
[886] 25/8/2016 -- 04:12:22 - (tm-threads.c:2168) <Notice> (TmThreadWaitOnThreadInit) -- all 3 packet processing threads, 4 management threads initialized, engine started.
[901] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1930) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
[901] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
[886] 25/8/2016 -- 04:12:22 - (suricata.c:2664) <Notice> (main) -- Signal Received. Stopping engine.
[903] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1930) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
[902] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1930) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
[902] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
[903] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
[886] 25/8/2016 -- 04:12:22 - (suricata.c:1108) <Info> (SCPrintElapsedTime) -- time elapsed 0.145s
[886] 25/8/2016 -- 04:12:22 - (detect.c:3915) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[886] 25/8/2016 -- 04:12:22 - (util-device.c:265) <Notice> (LiveDeviceListClean) -- Stats for 'eth0': pkts: 0, drop: 0 (-nan%), invalid chksum: 0
[883] 25/8/2016 -- 04:12:16 - (suricata.c:1086) <Notice> (SCPrintVersion) -- This is Suricata version 3.1dev (rev ec60208)
[883] 25/8/2016 -- 04:12:16 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 3
[883] 25/8/2016 -- 04:12:16 - (app-layer-htp-mem.c:59) <Info> (HTPParseMemcap) -- HTTP memcap: 268435456
[883] 25/8/2016 -- 04:12:16 - (util-ioctl.c:103) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'eth0'
[886] 25/8/2016 -- 04:12:20 - (detect.c:495) <Info> (SigLoadSignatures) -- 1 rule files processed. 20352 rules successfully loaded, 0 rules failed
[886] 25/8/2016 -- 04:12:20 - (detect.c:3611) <Info> (SigAddressPrepareStage1) -- 20360 signatures processed. 1178 are IP-only rules, 6031 are inspecting packet payload, 15412 inspect application layer, 76 are decoder event only
[886] 25/8/2016 -- 04:12:22 - (util-threshold-config.c:1188) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[886] 25/8/2016 -- 04:12:22 - (util-privs.c:103) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[886] 25/8/2016 -- 04:12:22 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[886] 25/8/2016 -- 04:12:22 - (output-json-email-common.c:455) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[886] 25/8/2016 -- 04:12:22 - (output-json-email-common.c:459) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[886] 25/8/2016 -- 04:12:22 - (util-logopenfile.c:298) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[886] 25/8/2016 -- 04:12:22 - (util-ioctl.c:341) <Warning> (GetIfaceOffloadingLinux) -- [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on eth0: SG: SET, GRO: SET, LRO: unset, TSO: SET, GSO: SET. Run: ethtool -K eth0 sg off gro $
[886] 25/8/2016 -- 04:12:22 - (runmode-af-packet.c:458) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using AF_PACKET with offloading activated leads to capture problems
[886] 25/8/2016 -- 04:12:22 - (util-runmodes.c:288) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 3 thread(s)
[886] 25/8/2016 -- 04:12:22 - (tm-threads.c:2168) <Notice> (TmThreadWaitOnThreadInit) -- all 3 packet processing threads, 4 management threads initialized, engine started.
[901] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1930) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
[901] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
[886] 25/8/2016 -- 04:12:22 - (suricata.c:2664) <Notice> (main) -- Signal Received. Stopping engine.
[903] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1930) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
[902] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1930) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
[902] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
[903] 25/8/2016 -- 04:12:22 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
[886] 25/8/2016 -- 04:12:22 - (suricata.c:1108) <Info> (SCPrintElapsedTime) -- time elapsed 0.145s
[886] 25/8/2016 -- 04:12:22 - (detect.c:3915) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[886] 25/8/2016 -- 04:12:22 - (util-device.c:265) <Notice> (LiveDeviceListClean) -- Stats for 'eth0': pkts: 0, drop: 0 (-nan%), invalid chksum: 0
Brandon
Aug 25, 2016, 4:20:44 AM8/25/16
to SELKS, bok...@wgu.edu
Since it was a fresh install I hadn't disabled NIC offloading yet. When I disabled NIC offloading (and made the corrections in /etc/network/interfaces) Suricata worked again upon reboot.
Peter Manev
Aug 25, 2016, 4:42:40 AM8/25/16
to Brandon, SELKS
On Thu, Aug 25, 2016 at 9:20 AM, Brandon <bok...@wgu.edu> wrote:
> Since it was a fresh install I hadn't disabled NIC offloading yet. When I
Strange - NIC offloading should be disabled by default in SELKS
> Since it was a fresh install I hadn't disabled NIC offloading yet. When I
> disabled NIC offloading (and made the corrections in
> /etc/network/interfaces) Suricata worked again upon reboot.
Glad it works now.
Thanks
Brandon
Aug 25, 2016, 4:59:27 AM8/25/16
to SELKS
Just the ones under tuning SELKS where it mentions NIC offloading. Is there any reliable way to test the ID's and make sure it's triggering properly?
Brandon
Aug 25, 2016, 5:12:18 AM8/25/16
to SELKS
IDS*
Peter Manev
Aug 25, 2016, 6:23:00 AM8/25/16
to Brandon, SELKS
http://www.testmyids.com
Then you should get - GPL ATTACK_RESPONSE id check returned root -
sig alert (sid:2100498) in Scirius/Kibana
Thanks
Reply all
Reply to author
Forward
0 new messages