Suricata with af_packet crash after start with different user

I apologize if this topic has been incorrectly categorized.
I am implementing suricata by setting the interface with AF_Packet and mmap as in the configuration below:


  • interface: ens2f1
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    use-mmap: yes
    mmap-locked: yes
    tpacket-v3: yes
    ring-size: 100000

And the string to start suricata is:

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata/ -i ens2f1 --user suricata --group suricata

Launching suricata through the root user I have no problem and suricata starts without problems. Trying to launch suricat with suricata user and suricata group instead you can’t start with the following error (I exclude the initial part of the log):

[86856] 10/11/2020 – 09:42:31 - (tm-threads.c:1965) (TmThreadWaitOnThreadInit) – all 32 packet processing threads, 4 management threads initialized, engine started.
[86889] 10/11/2020 – 09:42:31 - (source-af-packet.c:1926) (AFPSetupRing) – [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Unable to mmap, error Resource temporarily unavailable
[86889] 10/11/2020 – 09:42:31 - (source-af-packet.c:1489) (ReceiveAFPLoop) – [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn’t init AF_PACKET socket, fatal error
[86856] 10/11/2020 – 09:42:31 - (tm-threads.c:1884) (TmThreadCheckThreadState) – [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-ens2f1 failed

I tested suricata both in version 5.0.1 (from epel repositories) and compiled with the last 6.0.1 (devel), the problem persists anyway.

It makes me think that the problem is not suricata itself but the permissions for the suricat user, but I would like to understand what the missing permissions are.

Hi Matteo!

Welcome to the forums and suricata community!

If I recall correctly, I ran into this before and I think the issue was configuring suricata as mmap-locked: yes with a non root user. Try setting that to mmap-locked: no and see if that resolves your issue.