<div dir="ltr">here is some more info:<br><br>- http-log:
<p style="margin:0px;font-size:11px;font-family:Menlo"> enabled: yes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> filename: http.log</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> append: yes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #extended: yes # enable this for extended logging information</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> custom: yes # enabled the custom logging format (defined by customformat)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> customformat: "%a [**] %{User-agent}i"</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">detect-engine:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> - profile: custom</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> - custom-values:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toclient-src-groups: 200</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toclient-dst-groups: 200</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toclient-sp-groups: 200</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toclient-dp-groups: 300</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toserver-src-groups: 200</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toserver-dst-groups: 400</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toserver-sp-groups: 200</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toserver-dp-groups: 250</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> - sgh-mpm-context: auto</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> - inspection-recursion-limit: 3000</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> memcap: 1gb</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> hash-size: 1048576</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> prealloc: 1048576</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-recovery: 30</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"># This option controls the use of vlan ids in the flow (and defrag)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"># hashing. Normally this should be enabled, but in some (broken)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"># setups where both sides of a flow are not tagged with the same vlan</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"># tag, we can ignore the vlan id's in the flow hashing.</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">vlan:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> use-for-tracking: false</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow-timeouts:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> default:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> new: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> established: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> closed: 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-new: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-established: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-closed: 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> tcp:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> new: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> established: 100</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> closed: 10</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-new: 1</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-established: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-closed: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> udp:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> new: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> established: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-new: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-established: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> icmp:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> new: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> established: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-new: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> emergency-established: 5</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"><br>
</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">stream:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> memcap: 4gb</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> checksum-validation: no # reject wrong csums</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> inline: no # auto will use inline mode in IPS mode, yes or no set it statically</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> max-sessions: 20000000</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> prealloc-sessions: 10000000</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #midstream: true</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #asyn-oneside: true</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">reassembly:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> memcap: 12gb</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> depth: 1mb # reassemble 1mb into a stream</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toserver-chunk-size: 2560</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> toclient-chunk-size: 2560</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> randomize-chunk-size: yes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #randomize-chunk-range: 10</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #raw: yes</p>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Here is the portion of the stat file:</div>
<div><br>
</div>
<div>
<p style="margin:0px;font-size:11px;font-family:Menlo">capture.kernel_packets | RxPFRp2p17 | 6073789</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">capture.kernel_drops | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">dns.memuse | RxPFRp2p17 | 848709</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">dns.memcap_state | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">dns.memcap_global | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.pkts | RxPFRp2p17 | 6073790</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.bytes | RxPFRp2p17 | 2412501092</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.invalid | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv4 | RxPFRp2p17 | 6074122</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv6 | RxPFRp2p17 | 276</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ethernet | RxPFRp2p17 | 6073790</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.raw | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.sll | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.tcp | RxPFRp2p17 | 4933100</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.udp | RxPFRp2p17 | 595580</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.sctp | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.icmpv4 | RxPFRp2p17 | 2734</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.icmpv6 | RxPFRp2p17 | 218</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ppp | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.pppoe | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.gre | RxPFRp2p17 | 354</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.vlan | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.vlan_qinq | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.teredo | RxPFRp2p17 | 61</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv4_in_ipv6 | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv6_in_ipv6 | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.avg_pkt_size | RxPFRp2p17 | 397</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.max_pkt_size | RxPFRp2p17 | 1514</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv4.fragments | RxPFRp2p17 | 18078</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv4.reassembled | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv4.timeouts | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv6.fragments | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv6.reassembled | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv6.timeouts | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.max_frag_hits | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.sessions | RxPFRp2p17 | 110314</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.ssn_memcap_drop | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.pseudo | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.invalid_checksum | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.no_flow | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.reused_ssn | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.memuse | RxPFRp2p17 | 5348928</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.syn | RxPFRp2p17 | 112183</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.synack | RxPFRp2p17 | 15048</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.rst | RxPFRp2p17 | 34856</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.segment_memcap_drop | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.stream_depth_reached | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.reassembly_memuse | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.reassembly_gap | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">http.memuse | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">http.memcap | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">detect.alert | RxPFRp2p17 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">capture.kernel_packets | RxPFRp2p18 | 5863379</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">capture.kernel_drops | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">dns.memuse | RxPFRp2p18 | 849275</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">dns.memcap_state | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">dns.memcap_global | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.pkts | RxPFRp2p18 | 5863380</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.bytes | RxPFRp2p18 | 2460791034</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.invalid | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv4 | RxPFRp2p18 | 5863428</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv6 | RxPFRp2p18 | 236</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ethernet | RxPFRp2p18 | 5863380</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.raw | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.sll | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.tcp | RxPFRp2p18 | 4880656</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.udp | RxPFRp2p18 | 538940</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.sctp | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.icmpv4 | RxPFRp2p18 | 2987</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.icmpv6 | RxPFRp2p18 | 201</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ppp | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.pppoe | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.gre | RxPFRp2p18 | 48</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.vlan | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.vlan_qinq | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.teredo | RxPFRp2p18 | 35</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv4_in_ipv6 | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.ipv6_in_ipv6 | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.avg_pkt_size | RxPFRp2p18 | 419</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">decoder.max_pkt_size | RxPFRp2p18 | 1514</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv4.fragments | RxPFRp2p18 | 17064</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv4.reassembled | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv4.timeouts | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv6.fragments | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv6.reassembled | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.ipv6.timeouts | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">defrag.max_frag_hits | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.sessions | RxPFRp2p18 | 110186</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.ssn_memcap_drop | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.pseudo | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.invalid_checksum | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.no_flow | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.reused_ssn | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.memuse | RxPFRp2p18 | 5348928</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.syn | RxPFRp2p18 | 112081</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.synack | RxPFRp2p18 | 15365</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.rst | RxPFRp2p18 | 34375</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.segment_memcap_drop | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.stream_depth_reached | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.reassembly_memuse | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">tcp.reassembly_gap | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">http.memuse | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">http.memcap | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">detect.alert | RxPFRp2p18 | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow_mgr.closed_pruned | FlowManagerThread | 1151189</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow_mgr.new_pruned | FlowManagerThread | 1106070</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow_mgr.est_pruned | FlowManagerThread | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow.memuse | FlowManagerThread | 400679248</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow.spare | FlowManagerThread | 1058085</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow.emerg_mode_entered | FlowManagerThread | 0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">flow.emerg_mode_over | FlowManagerThread | 0</p>
</div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 5, 2014 at 2:14 PM, Adnan Baykal <span dir="ltr"><<a href="mailto:abaykal@gmail.com" target="_blank">abaykal@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Checksums are disabled.<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Jun 5, 2014 at 2:10 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Thu, Jun 5, 2014 at 8:06 PM, Adnan Baykal <<a href="mailto:abaykal@gmail.com" target="_blank">abaykal@gmail.com</a>> wrote:<br>
> disabled vlan as tracking as well.<br>
><br>
><br>
<br>
</div>What is your setting for checksums in suricata.yaml - enabled or disabled?<br>
<div><div><br>
<br>
><br>
> On Thu, Jun 5, 2014 at 2:04 PM, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:<br>
>><br>
>> On Thu, Jun 5, 2014 at 5:30 PM, Adnan Baykal <<a href="mailto:abaykal@gmail.com" target="_blank">abaykal@gmail.com</a>> wrote:<br>
>> > Here is what I did. I found a top talker - video streaming - and put a<br>
>> > bpf<br>
>> > filter to filter it out (not (host 1.2.3.4)). I am not dropping as many<br>
>> > packets any more (about 3%-4%).<br>
>> ><br>
>> > however, I still see extremely low number of http entries in the http<br>
>> > log<br>
>> > and I dont see anything when I take out the midstream and async entries<br>
>> > from<br>
>> > the yaml file.<br>
>> ><br>
>><br>
>> Do you have VLANs on the mirror port?<br>
>><br>
>><br>
>> ><br>
>> ><br>
>> > On Wed, Jun 4, 2014 at 8:14 PM, Adnan Baykal <<a href="mailto:abaykal@gmail.com" target="_blank">abaykal@gmail.com</a>> wrote:<br>
>> >><br>
>> >> Mbit<br>
>> >><br>
>> >><br>
>> >> On Wed, Jun 4, 2014 at 4:38 PM, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>><br>
>> >> wrote:<br>
>> >>><br>
>> >>> On Wed, Jun 4, 2014 at 10:33 PM, Adnan Baykal <<a href="mailto:abaykal@gmail.com" target="_blank">abaykal@gmail.com</a>><br>
>> >>> wrote:<br>
>> >>> > I do load about 7K rules. I need to go back to my sensor but it is<br>
>> >>> > probably<br>
>> >>> > around 800MB/s<br>
>> >>> ><br>
>> >>> ><br>
>> >>><br>
>> >>> Just to confirm - is that 800 Mbit or MByte?<br>
>> >>><br>
>> >>><br>
>> >>> > On Wed, Jun 4, 2014 at 4:17 PM, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>><br>
>> >>> > wrote:<br>
>> >>> >><br>
>> >>> >> On Wed, Jun 4, 2014 at 10:08 PM, Adnan Baykal <<a href="mailto:abaykal@gmail.com" target="_blank">abaykal@gmail.com</a>><br>
>> >>> >> wrote:<br>
>> >>> >> > I have been having no HTTP logging at all on one of my sensors. I<br>
>> >>> >> > have<br>
>> >>> >> > posted several questions to this blog. Mind you that this sensor<br>
>> >>> >> > does<br>
>> >>> >> > drop<br>
>> >>> >> > significant amount of data (about 50%) and I do understand that<br>
>> >>> >> > there<br>
>> >>> >> > will<br>
>> >>> >> > be a lot of http traffic missed due to drops but not having any<br>
>> >>> >> > entry in<br>
>> >>> >> > the<br>
>> >>> >> > http.log file was concerning. I thought I would at least see some<br>
>> >>> >> > entries.<br>
>> >>> >> ><br>
>> >>> >> > This morning, I found a setting:<br>
>> >>> >> ><br>
>> >>> >> > midstream: true # do not allow midstream session<br>
>> >>> >> > pickups<br>
>> >>> >> > async_oneside: true # do not enable async stream<br>
>> >>> >> > handling<br>
>> >>> >> ><br>
>> >>> >> > When above setting is applied to the stream, I get limited HTTP<br>
>> >>> >> > log.<br>
>> >>> >> > My<br>
>> >>> >> > question is "can this change in behavior be explained by dropped<br>
>> >>> >> > packets"?<br>
>> >>> >> > does this change further support the theory that this box is<br>
>> >>> >> > significantly<br>
>> >>> >> > undersized and that the bigger box would operate normally with<br>
>> >>> >> > full<br>
>> >>> >> > http<br>
>> >>> >> > traffic?<br>
>> >>> >> ><br>
>> >>> >> > I am in the process of upgrading this sensor to a 32GB 20 Core<br>
>> >>> >> > system<br>
>> >>> >> > (it is<br>
>> >>> >> > currently 16GB 8 Core).<br>
>> >>> >> ><br>
>> >>> >> > Thanks,<br>
>> >>> >> ><br>
>> >>> >> > --Adnan<br>
>> >>> >> ><br>
>> >>> >> ><br>
>> >>> >> > _______________________________________________<br>
>> >>> >> > Suricata IDS Users mailing list:<br>
>> >>> >> > <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
>> >>> >> > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
>> >>> >> > <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> >>> >> > List:<br>
>> >>> >> ><br>
>> >>> >> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> >>> >> > OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
>> >>> >><br>
>> >>> >> In general if you have significant % of drops - you will be<br>
>> >>> >> missing a<br>
>> >>> >> lot of logs.<br>
>> >>> >> How much traffic do you inspect with that set up? (and how many<br>
>> >>> >> rules<br>
>> >>> >> do you load?)<br>
>> >>> >><br>
>> >>> >><br>
>> >>> >> --<br>
>> >>> >> Regards,<br>
>> >>> >> Peter Manev<br>
>> >>> ><br>
>> >>> ><br>
>> >>><br>
>> >>><br>
>> >>><br>
>> >>> --<br>
>> >>> Regards,<br>
>> >>> Peter Manev<br>
>> >><br>
>> >><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> Regards,<br>
>> Peter Manev<br>
><br>
><br>
<br>
<br>
<br>
</div></div><span><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>