Suricata breaks after a little time

Help
,
1 
10/3/2021 -- 18:33:38 - <Notice> - This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
10/3/2021 -- 18:33:38 - <Info> - CPUs/cores online: 24
10/3/2021 -- 18:33:38 - <Info> - Protocol detection and parser disabled for smtp protocol.
10/3/2021 -- 18:33:38 - <Info> - Protocol detection and parser disabled for imap protocol.
10/3/2021 -- 18:33:38 - <Info> - Found an MTU of 1500 for 'eth5'
10/3/2021 -- 18:33:38 - <Info> - Found an MTU of 1500 for 'eth5'
10/3/2021 -- 18:33:38 - <Info> - Found an MTU of 1500 for 'eth4'
10/3/2021 -- 18:33:38 - <Info> - Found an MTU of 1500 for 'eth4'
10/3/2021 -- 18:33:38 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!
10/3/2021 -- 18:33:47 - <Notice> - This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
10/3/2021 -- 18:33:47 - <Info> - CPUs/cores online: 24
10/3/2021 -- 18:33:47 - <Info> - Protocol detection and parser disabled for smtp protocol.
10/3/2021 -- 18:33:47 - <Info> - Protocol detection and parser disabled for imap protocol.
10/3/2021 -- 18:33:47 - <Info> - Found an MTU of 1500 for 'eth5'
10/3/2021 -- 18:33:47 - <Info> - Found an MTU of 1500 for 'eth5'
10/3/2021 -- 18:33:47 - <Info> - Found an MTU of 1500 for 'eth4'
10/3/2021 -- 18:33:47 - <Info> - Found an MTU of 1500 for 'eth4'
10/3/2021 -- 18:33:47 - <Warning> - [ERRCODE: SC_WARN_FLOW_EMERGENCY(160)] - emergency timeout value 10 for 'new' must be below regular value 5
10/3/2021 -- 18:33:47 - <Warning> - [ERRCODE: SC_WARN_FLOW_EMERGENCY(160)] - emergency timeout value 50 for 'bypassed' must be below regular value 30
10/3/2021 -- 18:33:47 - <Info> - fast output device (regular) initialized: fast.log
10/3/2021 -- 18:33:47 - <Info> - eve-log output device (regular) initialized: eve.json
10/3/2021 -- 18:33:47 - <Info> - stats output device (regular) initialized: stats.log
10/3/2021 -- 18:33:47 - <Info> - Running in live mode, activating unix socket
10/3/2021 -- 18:33:47 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
10/3/2021 -- 18:33:47 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "file_overlap" registered
10/3/2021 -- 18:33:48 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
10/3/2021 -- 18:33:48 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "negotiate_malformed_dialects" registered
10/3/2021 -- 18:33:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
10/3/2021 -- 18:33:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_ntlmssp_request" registered
10/3/2021 -- 18:33:50 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
10/3/2021 -- 18:33:50 - <Info> - 1 rule files processed. 13206 rules successfully loaded, 0 rules failed
10/3/2021 -- 18:33:50 - <Info> - Threshold config parsed: 0 rule(s) found
10/3/2021 -- 18:33:50 - <Info> - 13207 signatures processed. 27 are IP-only rules, 3299 are inspecting packet payload, 9627 inspect application layer, 104 are decoder event only
10/3/2021 -- 18:35:56 - <Info> - Using flow cluster mode for PF_RING (iface eth5)
10/3/2021 -- 18:35:56 - <Info> - Going to use 1 thread(s)
10/3/2021 -- 18:35:56 - <Info> - Using flow cluster mode for PF_RING (iface eth4)
10/3/2021 -- 18:35:56 - <Info> - Going to use 1 thread(s)
10/3/2021 -- 18:35:56 - <Error> - [ERRCODE: SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returned -1 for cluster-id: 99
10/3/2021 -- 18:35:56 - <Info> - RunModeIdsPfringWorkers initialised
10/3/2021 -- 18:35:56 - <Info> - Running in live mode, activating unix socket
10/3/2021 -- 18:35:56 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
10/3/2021 -- 18:35:56 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-eth4" failed to initialize: flags 0145
10/3/2021 -- 18:35:56 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...

===============
suricata --pfring-int=eth5 --pfring-int=eth4 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml --runmode=workers -D

suricata version:6.0.2

my info:
[root@sh1-arch-1 examples]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)

[root@sh1-arch-1 examples]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 14:18:77:6d:ff:ee brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 14:18:77:6d:ff:ef brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 14:18:77:6d:ff:f0 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 14:18:77:6d:ff:f1 brd ff:ff:ff:ff:ff:ff
8: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether fa:f7:eb:9c:81:5b brd ff:ff:ff:ff:ff:ff
9: bond4: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9c:74:1a:77:50:13 brd ff:ff:ff:ff:ff:ff
inet 10.3.1.252/24 brd 10.3.1.255 scope global bond4
valid_lft forever preferred_lft forever
12: eth4: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond4 state UP group default qlen 1000
link/ether 9c:74:1a:77:50:13 brd ff:ff:ff:ff:ff:ff
13: eth5: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond4 state UP group default qlen 1000
link/ether 9c:74:1a:77:50:13 brd ff:ff:ff:ff:ff:ff

[root@sh1-arch-1 examples]# dmesg | grep Ethernet
[ 3.353406] tg3 0000:01:00.0 eth0: attached PHY is 5720C (10/100/1000Base-T Ethernet) (WireSpeed[1], EEE[1])
[ 3.381535] tg3 0000:01:00.1 eth1: attached PHY is 5720C (10/100/1000Base-T Ethernet) (WireSpeed[1], EEE[1])
[ 3.402510] tg3 0000:02:00.0 eth2: attached PHY is 5720C (10/100/1000Base-T Ethernet) (WireSpeed[1], EEE[1])
[ 3.422403] tg3 0000:02:00.1 eth3: attached PHY is 5720C (10/100/1000Base-T Ethernet) (WireSpeed[1], EEE[1])
[ 17.019039] Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

[root@sh1-arch-1 examples]# lsmod |grep bonding
bonding 152979 0

[root@sh1-arch-1 examples]# modinfo bonding
filename: /lib/modules/3.10.0-1127.el7.x86_64/kernel/drivers/net/bonding/bonding.ko.xz
author: Thomas Davis, tadavis@lbl.gov and many others
description: Ethernet Channel Bonding Driver, v3.7.1
version: 3.7.1

[root@sh1-arch-1 examples]# pf_ringcfg --list-interfaces
Name: bond0 Driver: bonding
Name: eth0 Driver: tg3
Name: eth1 Driver: tg3
Name: eth2 Driver: tg3
Name: eth3 Driver: tg3
Name: eth4 Driver: ixgbe [Running ZC]
Name: eth5 Driver: ixgbe [Running ZC]
Name: bond4 Driver: bonding

[root@sh1-arch-1 examples]# modinfo pf_ring
filename: /lib/modules/3.10.0-1127.el7.x86_64/kernel/net/pf_ring/pf_ring.ko
alias: net-pf-27
version: 7.9.0
description: Packet capture acceleration and analysis
author: ntop.org
license: GPL
retpoline: Y
rhelversion: 7.8
srcversion: 519C96188C7A6461934C1A1

2

please help me. What’s wrong with me?

3

I think the issue may be related to having 2 interfaces on the commandline (eth4 and eth5), but only a single cluster id is specified. This id should be unique per interface. So instead of using the commandline, I think you’ll need something like this:

pfring:
  - interface: eth4
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
  - interface: eth5
    threads: auto
    cluster-id: 98
    cluster-type: cluster_flow

and then on the commandline just specify --pfring without any arguments.

5

I try to do this way. but no work.

11/3/2021 -- 15:51:28 - <Info> - 2 rule files processed. 13214 rules successfully loaded, 0 rules failed
11/3/2021 -- 15:51:28 - <Info> - Threshold config parsed: 0 rule(s) found
11/3/2021 -- 15:51:28 - <Info> - 13215 signatures processed. 27 are IP-only rules, 3301 are inspecting packet payload, 9633 inspect application layer, 104 are decoder event only
11/3/2021 -- 15:53:32 - <Info> - Unable to find pfring config for interface -c, using default value or 1.0 configuration system.
11/3/2021 -- 15:53:32 - <Info> - Going to use 1 thread(s)
11/3/2021 -- 15:53:32 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open -c: pfring_open error. Check if -c exists and pf_ring module is loaded.
11/3/2021 -- 15:53:32 - <Info> - RunModeIdsPfringWorkers initialised
11/3/2021 -- 15:53:32 - <Info> - Running in live mode, activating unix socket
11/3/2021 -- 15:53:32 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
11/3/2021 -- 15:53:32 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01--c" failed to initialize: flags 0145
11/3/2021 -- 15:53:32 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...

[root@sh1-arch-1 rules]# lsmod | grep pf_ring
pf_ring 722405 3 ixgbe

6

Looks like there is an error on the commandline. Can you share your commandline?

8

my mistask. I use
suricata --pfring -c /etc/suricata/suricata.yaml --runmode=workers -D

but, my rules is not work.

Before
{"timestamp":"2021-03-11T15:41:41.582818+0800","flow_id":720746136519545,"in_iface":"bond4","event_type":"alert","src_ip":"10.3.1.252","src_port":24192,"dest_ip":"47.94.128.44","dest_port":9099,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019284,"rev":3,"signature":"ET ATTACK_RESPONSE Output of id command from HTTP server","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2014_09_26"],"updated_at":["2014_09_26"]}},"flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":332,"bytes_toclient":209,"start":"2021-03-11T15:40:32.836473+0800"}}

now
my eve.json has many many events,like this

{"timestamp":"2021-03-11T16:14:43.355614+0800","flow_id":900065450486635,"in_iface":"eth4","event_type":"alert","src_ip":"10.3.1.252","src_port":10050,"dest_ip":"10.1.73.26","dest_port":44436,"proto":"TCP","metadata":{"flowints":{"tcp.retransmission.count":2}},"alert":{"action":"allowed","gid":1,"signature_id":2210016,"rev":2,"signature":"SURICATA STREAM CLOSEWAIT FIN out of window","category":"Generic Protocol Command Decode","severity":3},"flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":326,"bytes_toclient":242,"start":"2021-03-11T16:14:43.355179+0800"}}
{"timestamp":"2021-03-11T16:14:44.894026+0800","flow_id":90696043516984,"in_iface":"eth4","event_type":"alert","src_ip":"10.3.1.252","src_port":10050,"dest_ip":"10.1.73.26","dest_port":44894,"proto":"TCP","metadata":{"flowints":{"tcp.retransmission.count":2}},"alert":{"action":"allowed","gid":1,"signature_id":2210016,"rev":2,"signature":"SURICATA STREAM CLOSEWAIT FIN out of window","category":"Generic Protocol Command Decode","severity":3},"flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":312,"bytes_toclient":250,"start":"2021-03-11T16:14:44.382008+0800"}}
{"timestamp":"2021-03-11T16:15:24.085892+0800","flow_id":2016537906793956,"in_iface":"eth5","event_type":"alert","src_ip":"10.3.1.252","src_port":10050,"dest_ip":"10.1.73.26","dest_port":38676,"proto":"TCP","metadata":{"flowints":{"tcp.retransmission.count":2}},"alert":{"action":"allowed","gid":1,"signature_id":2210016,"rev":2,"signature":"SURICATA STREAM CLOSEWAIT FIN outof window","category":"Generic Protocol Command Decode","severity":3},"flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":317,"bytes_toclient":242,"start":"2021-03-11T16:15:24.085476+0800"}}
{"timestamp":"2021-03-11T16:15:45.119036+0800","flow_id":826857736914890,"in_iface":"eth5","event_type":"alert","src_ip":"10.3.1.252","src_port":10050,"dest_ip":"10.1.73.26","dest_port":35764,"proto":"TCP","metadata":{"flowints":{"tcp.retransmission.count":2}},"alert":{"action":"allowed","gid":1,"signature_id":2210016,"rev":2,"signature":"SURICATA STREAM CLOSEWAIT FIN out of window","category":"Generic Protocol Command Decode","severity":3},"flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":312,"bytes_toclient":250,"start":"2021-03-11T16:15:44.608202+0800"}}
{"timestamp":"2021-03-11T16:15:55.871601+0800","flow_id":2036827334331086,"in_iface":"eth5","event_type":"alert","src_ip":"10.3.1.252","src_port":10050,"dest_ip":"10.1.73.26","dest_port":5130,"proto":"TCP","metadata":{"flowints":{"tcp.retransmission.count":2}},"alert":{"action":"allowed","gid":1,"signature_id":2210016,"rev":2,"signature":"SURICATA STREAM CLOSEWAIT FIN out of window","category":"Generic Protocol Command Decode","severity":3},"flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":377,"bytes_toclient":242,"start":"2021-03-11T16:15:55.871118+0800"}}

bond4 uses bonding mode for eth4 and eth5

9

suricata.log

11/3/2021 -- 16:04:48 - <Info> - 13215 signatures processed. 27 are IP-only rules, 3301 are inspecting packet payload, 9633 inspect application layer, 104 are decoder event only
11/3/2021 -- 16:06:51 - <Notice> - This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
11/3/2021 -- 16:06:51 - <Info> - CPUs/cores online: 24
11/3/2021 -- 16:06:51 - <Info> - HTTP memcap: 5368709120
11/3/2021 -- 16:06:51 - <Info> - Protocol detection and parser disabled for smtp protocol.
11/3/2021 -- 16:06:51 - <Info> - Protocol detection and parser disabled for imap protocol.
11/3/2021 -- 16:06:52 - <Info> - Found an MTU of 1500 for 'eth4'
11/3/2021 -- 16:06:52 - <Info> - Found an MTU of 1500 for 'eth4'
11/3/2021 -- 16:06:52 - <Info> - Found an MTU of 1500 for 'eth5'
11/3/2021 -- 16:06:52 - <Info> - Found an MTU of 1500 for 'eth5'
11/3/2021 -- 16:06:52 - <Warning> - [ERRCODE: SC_WARN_FLOW_EMERGENCY(160)] - emergency timeout value 10 for 'new' must be below regular value 5
11/3/2021 -- 16:06:52 - <Warning> - [ERRCODE: SC_WARN_FLOW_EMERGENCY(160)] - emergency timeout value 50 for 'bypassed' must be below regular value 30
11/3/2021 -- 16:06:52 - <Info> - fast output device (regular) initialized: fast.log
11/3/2021 -- 16:06:52 - <Info> - eve-log output device (regular) initialized: eve.json
11/3/2021 -- 16:06:52 - <Info> - eve-log output device (regular) initialized: eve-nsm.json
11/3/2021 -- 16:06:52 - <Notice> - JsonSMBLog logger not enabled: protocol smb is disabled
11/3/2021 -- 16:06:52 - <Notice> - JsonIKEv2Log logger not enabled: protocol ikev2 is disabled
11/3/2021 -- 16:06:52 - <Notice> - JsonSNMPLog logger not enabled: protocol snmp is disabled
11/3/2021 -- 16:06:52 - <Notice> - JsonDHCPLog logger not enabled: protocol dhcp is disabled
11/3/2021 -- 16:06:52 - <Info> - stats output device (regular) initialized: stats.log
11/3/2021 -- 16:06:52 - <Info> - Running in live mode, activating unix socket
11/3/2021 -- 16:06:52 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
11/3/2021 -- 16:06:52 - <Info> - Unable to find pfring config for interface -c, using default value or 1.0 configuration system.
11/3/2021 -- 16:06:52 - <Info> - Going to use 1 thread(s)
11/3/2021 -- 16:06:52 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "file_overlap" registered
11/3/2021 -- 16:06:52 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open -c: pfring_open error. Check if -c exists and pf_ring module is loaded.
11/3/2021 -- 16:06:52 - <Info> - RunModeIdsPfringWorkers initialised
11/3/2021 -- 16:06:52 - <Info> - Running in live mode, activating unix socket
11/3/2021 -- 16:06:52 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
11/3/2021 -- 16:06:52 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01--c" failed to initialize: flags 0145
11/3/2021 -- 16:06:52 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
11/3/2021 -- 16:06:53 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
11/3/2021 -- 16:06:53 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "negotiate_malformed_dialects" registered
11/3/2021 -- 16:06:54 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
11/3/2021 -- 16:06:54 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_ntlmssp_request" registered
11/3/2021 -- 16:06:54 - <Warning> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
11/3/2021 -- 16:06:55 - <Info> - 2 rule files processed. 13214 rules successfully loaded, 0 rules failed
11/3/2021 -- 16:06:55 - <Info> - Threshold config parsed: 0 rule(s) found
11/3/2021 -- 16:06:55 - <Info> - 13215 signatures processed. 27 are IP-only rules, 3301 are inspecting packet payload, 9633 inspect application layer, 104 are decoder event only
11/3/2021 -- 16:09:01 - <Info> - Using flow cluster mode for PF_RING (iface eth4)
11/3/2021 -- 16:09:01 - <Info> - Going to use 24 thread(s)
11/3/2021 -- 16:09:03 - <Info> - Using flow cluster mode for PF_RING (iface eth5)
11/3/2021 -- 16:09:03 - <Info> - Going to use 24 thread(s)
11/3/2021 -- 16:09:05 - <Info> - RunModeIdsPfringWorkers initialised
11/3/2021 -- 16:09:05 - <Info> - Running in live mode, activating unix socket
11/3/2021 -- 16:09:05 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
11/3/2021 -- 16:09:05 - <Notice> - all 48 packet processing threads, 4 management threads initialized, engine started.