Suricata 6.0.4: SURICATA STREAM pkt seen on wrong thread

Help
5

I’ve updated to 6.0.5 and removed the autofp runmode setting just to verify it was still an issue, and it is. It’s a stock yaml config with the exception of disabling the eve log and changing the 8-second stats.log timer to 5 minutes.

image
image1461×64 3.84 KB 

root@nexus:/# uci show suricata
suricata.service=suricata
suricata.service.config_file='/etc/suricata/suricata.yaml'
suricata.service.logdir='/var/log/suricata'
suricata.service.pidfile='/var/log/suricata.pid'
suricata.service.rules_file='/var/lib/suricata/rules/suricata.rules'
suricata.service.queue='2' '9'
suricata.service.run_mode='autofp'
suricata.service.interface='br-lan'
suricata.service.verbose='0'
suricata.service.scan_mode='af-packet'
root@nexus:/#

root@nexus:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          inet addr:192.168.1.205  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2e26:5fff:fe80:143c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8010552 errors:0 dropped:728 overruns:0 frame:0
          TX packets:5838 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8868617339 (8.2 GiB)  TX bytes:627757 (613.0 KiB)

eth0      Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6362253 errors:0 dropped:358 overruns:0 frame:0
          TX packets:1753343 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8071647377 (7.5 GiB)  TX bytes:1056295788 (1007.3 MiB)

eth1      Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth2      Link encap:Ethernet  HWaddr 2C:26:5F:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1750462 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6357964 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1063032192 (1013.7 MiB)  TX bytes:8042151543 (7.4 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1983 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1983 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:150670 (147.1 KiB)  TX bytes:150670 (147.1 KiB)

If you need something specific, let me know how to get it and I’m more than happy to post it.

5/6/2022 -- 23:13:47 - <Notice> - This is Suricata version 6.0.5 RELEASE running in SYSTEM mode
5/6/2022 -- 23:13:47 - <Info> - CPUs/cores online: 2
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'br-lan'
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'br-lan'
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'eth0'
5/6/2022 -- 23:13:47 - <Info> - Found an MTU of 1500 for 'eth0'
5/6/2022 -- 23:13:47 - <Notice> - Using host.memcap = 32mb
5/6/2022 -- 23:13:47 - <Notice> - Setting host_config.memcap to 33554432
5/6/2022 -- 23:13:47 - <Notice> - host_config.memcap is now  33554432
5/6/2022 -- 23:13:47 - <Notice> - Using host.hash-size = 4096
5/6/2022 -- 23:13:47 - <Notice> - Using host.prealloc = 1000
5/6/2022 -- 23:13:47 - <Notice> - Host config from suricata.yaml: memcap: 33554432, hash-size: 4096, prealloc: 1000
5/6/2022 -- 23:13:47 - <Info> - fast output device (regular) initialized: fast.log
5/6/2022 -- 23:13:47 - <Info> - stats output device (regular) initialized: stats.log
5/6/2022 -- 23:13:47 - <Info> - Running in live mode, activating unix socket
5/6/2022 -- 23:13:47 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules
5/6/2022 -- 23:13:56 - <Info> - 2 rule files processed. 26283 rules successfully loaded, 0 rules failed
5/6/2022 -- 23:13:56 - <Info> - Threshold config parsed: 0 rule(s) found
5/6/2022 -- 23:14:00 - <Info> - 26286 signatures processed. 1278 are IP-only rules, 4155 are inspecting packet payload, 20650 inspect application layer, 108 are decoder event only
5/6/2022 -- 23:16:13 - <Info> - Using 2 live device(s).
5/6/2022 -- 23:16:13 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Not supported (122)
5/6/2022 -- 23:16:13 - <Info> - Running in live mode, activating unix socket
5/6/2022 -- 23:16:13 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
5/6/2022 -- 23:16:13 - <Notice> - all 6 packet processing threads, 4 management threads initialized, engine started.
5/6/2022 -- 23:16:13 - <Info> - All AFP capture threads are running.

suricata.yaml (71.5 KB)