I am running an implementation of Suricata with DPDK support, and Suricata is not generating alerts. I am testing by using Spirent to send streams of ICMP Echo Requests. My analysis of the code shows that it is indeed recognizing the packets coming in, as they are being processed in the decode methods, reaching the decode-ipv4.c file. But Suricata is not writing to the fast.log and not generating alerts with regards to my rules. Anyone have any advise?
This is the rule I was using:
alert icmp any any -> $HOME_NET any (msg:“ICMP connection attempt”; sid:1000002; rev:1;)
Hi @rbalaji3, as you may know Suricata has no DPDK support built-in. Did you write an implementation yourself and are you looking for development support? Or do you have an implementation from another place that doesn’t work correctly?
Either way, it would be helpful for us to be able to see that code to be able to help figure out what is happening.
Thanks for the help, I understand you can’t help there. If possible, would you be able to help me debug. I am trying to use gdb following this link (https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debugging), but whenever I try and load the executable, I keep getting: “/root/Suricata-Work/suricata-3.1/./src/suricata”: not in executable format: File format not recognized . Is there any workaround for this to debug, using the file command, we see that ./src/suricata is a Bourne-Again shell script, ASCII text executable. Thanks again
you can chang p->flags |= ptv->checksumMode; to switch (ptv->checksum_mode) { case CHECKSUM_VALIDATION_RXONLY: if (h->extended_hdr.rx_direction == 0) { p->flags |= PKT_IGNORE_CHECKSUM; } break; case CHECKSUM_VALIDATION_DISABLE: p->flags |= PKT_IGNORE_CHECKSUM; break; default: break; } ,then you can get alerts by suricata-dpdk.