<div dir="ltr"><div><div><br>Having debugged the heck out of suricata when getting it running on a Solaris host, I've seen that there is a window of time between invoking suricata and when it actually starts processing the packet flow. During that time it's looping a lot and building it's internal structures up to hold all of the rules. Once that's completed then the job of being an IDS begins. For me that period of startup time was up to a few minutes, depending on the size of my rule set.<br>
<br></div>It's very much within the limits of plausibility for the system to drop those 30K packets during the pre-processing of the rules and then not drop anything during the normal work phase. It's not taking packets off the stack during the rule build phase. They will just drop. If you're seeing zero drops on an ongoing basis, that's great. I got used to the fact packet drop just happens when you listen at a 10Gb feed.<br>
<br></div>Keep in mind when compiling in profiling and running stats counting, it WILL slow down the engine so packet drops will occur, it's akin to the law of physics about affecting something you are measuring. It was suggested it added a 20% overhead.<br>
<br><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 25, 2014 at 3:53 AM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
That's not right at all. What kernel revision are you running? I know<br>
to get the RSS+AF_PACKET+mmap mode working well you need a fairly recent<br>
kernel.<br>
<br>
- -Coop<br>
<br>
On 3/24/2014 9:07 AM, Travel Factory S.r.l. wrote:<br>
> On Mon, 24 Mar 2014 06:10:02 -0700<br>
> "Cooper F. Nelson" <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>
><br>
>><br>
>> I tried restarting suricata with "buffer-size: 0" as I suggested and can<br>
>> confirm it doesn't drop packets at startup. I'll see how it performs<br>
>> under load during the day.<br>
><br>
><br>
> no changes after setting this parameter to 0: during startup<br>
> capture.kernel_drops grows over 30000 and then stops at that value.<br>
<br>
<br>
- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQEcBAEBAgAGBQJTMGL0AAoJEKIFRYQsa8FWR3MIAJvcmF8UgYS7gPoI75djleW3<br>
CIZP2sRDI1B8n1VPzAHvL0yBKfLUvTmRYAdtEBgkmfl+R38hnc1vkvt1zO/lq7Gt<br>
umvG/XCFNpy+NtoYXp84MDHEt47LLcAWEy+4IQXObiQRsIFA9zeuosw7wB5RdnmH<br>
4waT3/nxlm07yk8HNh2d7MnoIkzc67NZpdPFVKVWfLzWH3t1UF9s8xdCtSpik9/P<br>
szQm30VcfaP3Sx5frafFH9uPZSyfIknrnxSlkTJTwU7yVdbU1ai/LvNGTBh1Hm40<br>
/Awvapr/l2K35rHmktyQrnJt8H/41wGCIY0SRxF57tJgjeOwU3argL0rtWWKvyc=<br>
=nK88<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br></div></div></div>