Hi!
I apologize if this topic has been incorrectly categorized.
I am implementing suricata by setting the interface with AF_Packet and mmap as in the configuration below:
af-packet:
- interface: ens2f1
threads: auto
cluster-id: 99
cluster-type: cluster_flow
use-mmap: yes
mmap-locked: yes
tpacket-v3: yes
ring-size: 100000
And the string to start suricata is:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata/suricata.pid -i ens2f1 --user suricata --group suricata
Launching suricata through the root user I have no problem and suricata starts without problems. Trying to launch suricat with suricata user and suricata group instead you can’t start with the following error (I exclude the initial part of the log):
[86856] 10/11/2020 – 09:42:31 - (tm-threads.c:1965) (TmThreadWaitOnThreadInit) – all 32 packet processing threads, 4 management threads initialized, engine started.
[86889] 10/11/2020 – 09:42:31 - (source-af-packet.c:1926) (AFPSetupRing) – [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Unable to mmap, error Resource temporarily unavailable
[86889] 10/11/2020 – 09:42:31 - (source-af-packet.c:1489) (ReceiveAFPLoop) – [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn’t init AF_PACKET socket, fatal error
[86856] 10/11/2020 – 09:42:31 - (tm-threads.c:1884) (TmThreadCheckThreadState) – [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-ens2f1 failed
I tested suricata both in version 5.0.1 (from epel repositories) and compiled with the last 6.0.1 (devel), the problem persists anyway.
It makes me think that the problem is not suricata itself but the permissions for the suricat user, but I would like to understand what the missing permissions are.