
<div dir="ltr">it works<div><br></div><div>thank you very much</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 23, 2014 at 11:36 AM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 05/22/2014 06:58 PM, Özkan KIRIK wrote:<br>

> Hi,<br>

> stats log is attached.<br>

<br>

</div>I bet your stream.reassembly.memcap is set to 1gb, which is reached:<br>

tcp.reassembly_memuse     | Detect                    | 1073741704<br>

<br>

Then some packets are not being used for reassembly:<br>

tcp.segment_memcap_drop   | Detect                    | 1944780<br>

<br>

Leading to 'gaps' in the data:<br>

tcp.reassembly_gap        | Detect                    | 5695<br>

<br>

This would explain why we'd loose track of TLS sessions.<br>

<br>

Try increasing the memcap.<br>

<br>

Cheers,<br>

Victor<br>

<div class=""><br>

><br>

> On Thu, May 22, 2014 at 6:14 PM, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a><br>

</div><div class="">> <mailto:<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>>> wrote:<br>

><br>

>     On 05/22/2014 03:13 PM, Özkan KIRIK wrote:<br>

>     > I am running Suricata 2.0 release inline mode on FreeBSD.<br>

>     > There is single rule as below:<br>

>     > drop tls any any -> any any (msg:"SSL: <a href="http://vtunnel.com" target="_blank">vtunnel.com</a><br>

>     <<a href="http://vtunnel.com" target="_blank">http://vtunnel.com</a>><br>

>     > <<a href="http://vtunnel.com" target="_blank">http://vtunnel.com</a>>"; tls.subject:"<a href="http://vtunnel.com" target="_blank">vtunnel.com</a><br>

</div>>     <<a href="http://vtunnel.com" target="_blank">http://vtunnel.com</a>> <<a href="http://vtunnel.com" target="_blank">http://vtunnel.com</a>>";<br>

<div class="">>     > sid:3230059; rev:1;)<br>

>     ><br>

>     > At start, everything is fine. I can see drop events on fast.log.<br>

>     > After a while ( about 2 minutes ) suricata gives up dropping<br>

>     packets. No<br>

>     > packets matches rule altough I tried to connect <a href="http://vtunnel.com" target="_blank">vtunnel.com</a><br>

>     <<a href="http://vtunnel.com" target="_blank">http://vtunnel.com</a>><br>

>     > <<a href="http://vtunnel.com" target="_blank">http://vtunnel.com</a>> via https, but all traffic forwarded.<br>

>     ><br>

>     > No threshold configured on yaml file.<br>

>     ><br>

>     > How can i debug this problem?<br>

><br>

>     I think it would make sense to inspect the stats.log. If stream/flow<br>

>     engines run out of resources, tracking of tls may fail while packets<br>

>     still flow.<br>

><br>

>     Can you share a record of your stats.log?<br>

><br>

>     --<br>

>     ---------------------------------------------<br>

>     Victor Julien<br>

>     <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>

>     PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>

>     ---------------------------------------------<br>

><br>

>     _______________________________________________<br>

>     Suricata IDS Users mailing list:<br>

>     <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

</div>>     <mailto:<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>><br>

<div class="im HOEnZb">>     Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>

>     <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

>     List:<br>

>     <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

>     OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

><br>

><br>

<br>

<br>

</div><div class="HOEnZb"><div class="h5">--<br>

---------------------------------------------<br>

Victor Julien<br>

<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>

PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>

---------------------------------------------<br>

<br>

</div></div></blockquote></div><br></div>