Hi everyone! I am working on suricata - ebpf topic. I followed 19.4. eBPF and XDP — Suricata 7.0.0-rc1-dev documentation this link. I set up all configuration. But when I started suricata ebpf application couldn’t load on network interface and couldn’t see maps. What am I missing? Any help would be great. Best regards.
Do you see any error messages in suricata.log?
I assume you are running suricata v7, would you please share the output of this?
suricata --build-info
Hi Jeremy, Suricata build info
This is Suricata version 7.0.0-rc1-dev (45eb038e6 2022-11-30)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version Debian Clang 11.0.1, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.42, linked against LibHTP v0.5.42
Suricata Configuration:
AF_PACKET support: yes
DPDK support: no
eBPF support: yes
XDP support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Landlock support: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /root/.cargo/bin/rustc
Rust compiler version: rustc 1.58.1 (db9d1b20b 2022-01-20)
Cargo path: /root/.cargo/bin/cargo
Cargo version: cargo 1.58.0 (f01b232bc 2022-01-19)
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: no, not bundled
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: clang (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -std=c11 -march=native -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS
[4161911] 9/1/2023 – 08:15:53 - (detect-parse.c:915) (SigParseProto) – [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol “any” cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.any.detection-enabled
[4161911] 9/1/2023 – 08:15:53 - (detect-engine-loader.c:192) (DetectLoadSigFile) – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert any any → any any (msg:“bypass video”; flowbits:isset,traffic/label/video; noalert; bypass; sid:1000000; rev:1;)” from file /var/lib/suricata/rules/suricata.rules at line 1
[4161911] 9/1/2023 – 08:15:53 - (detect-parse.c:915) (SigParseProto) – [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol “any” cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.any.detection-enabled
[4161911] 9/1/2023 – 08:15:53 - (detect-engine-loader.c:192) (DetectLoadSigFile) – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert any any → any any (msg:“bypass Skype”; flowbits:isset,traffic/id/skype; noalert; bypass; sid:1000001; rev:1;)” from file /var/lib/suricata/rules/suricata.rules at line 2
[4161911] 9/1/2023 – 08:15:53 - (detect-engine-loader.c:329) (SigLoadSignatures) – No rules loaded from suricata.rules.
[4161911] 9/1/2023 – 08:15:53 - (detect-engine-loader.c:354) (SigLoadSignatures) – [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
The rules need a protocol after the alert keyword. See 6.1. Rules Format — Suricata 7.0.0-rc1-dev documentation for more information.
The “header” is not valid in the rules you’re using:
alert any any → any any (msg:“bypass video”; flowbits:isset,traffic/label/video; noalert; bypass; sid:1000000; rev:1;)
Add a protocol (here, I added tcp)
alert tcp any any → any any (msg:“bypass video”; flowbits:isset,traffic/label/video; noalert; bypass; sid:1000000; rev:1;)
Thank you, build info looks good.
Please try to give the rule a protocol (ip, tcp, etc). I don’t believe it gets a chance to load with the invalid rule.
Something like this:
alert tcp any any -> any any (msg:"bypass video"; flowbits:isset,to_server,traffic/label/video; noalert; bypass; sid:1000000; rev:1;)
Thank you Jeremy. Error and warning messages have gone.
1 Like
Thank you Jeff. Error and warning messages have gone.
1 Like