<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
mso-fareast-language:CA;}
span.EstiloCorreo21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1859738054;
mso-list-template-ids:-2027530920;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Another user explained me that there is a limitation at using single connection. I can confirm that each test achieves the same result, no matter
if I there is 1 test running, or 4.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So, I guess that each connection is limited to… I don’t know what, since I can multiply total throughput by running several tests in parallel,
so it’s not a system limitation (ram, cpu, disk, etc)…<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Anyway I’ve checked that counters, they look good.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:Consolas;color:#1F497D">[root@suricata]# cat /proc/net/netfilter/nfnetlink_queue<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:Consolas;color:#1F497D"> 0 5405 0 2 65531 0 0 47862 1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:Consolas;color:#1F497D"> 1 -4139 0 2 65531 0 0 332937 1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Xavier Romero<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De:</span></b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> oisf-users-bounces@lists.openinfosecfoundation.org [mailto:oisf-users-bounces@lists.openinfosecfoundation.org]
<b>En nombre de </b>Peter Fyon<br>
<b>Enviado el:</b> dijous, 8 d'octubre de 2015 4:44<br>
<b>Para:</b> oisf-users@lists.openinfosecfoundation.org<br>
<b>Asunto:</b> Re: [Oisf-users] Inline NFQ<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p>Have you checked your nfnetlink_queue for dropped packets?<o:p></o:p></p>
<p>From <a href="https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/" target="_blank">
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/</a> :<o:p></o:p></p>
<p><span style="font-size:14.0pt;font-family:"Arial","sans-serif";color:#333333">nfnetlink_queue entry in /proc</span><o:p></o:p></p>
<p style="margin:0cm;margin-bottom:.0001pt;line-height:16.7pt;outline:0px"><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">nfnetlink_queue has a dedicated entry in /proc: </span><code><span style="font-size:10.5pt;color:black;border:none windowtext 1.0pt;padding:0cm;background:#F7F7F7">/proc/net/netfilter/nfnetlink_queue</span></code><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<div style="mso-element:para-border-div;border:solid #DDDDDD 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;background:#F7F7F7">
<pre style="mso-margin-top-alt:18.0pt;margin-right:0cm;margin-bottom:18.0pt;margin-left:0cm;line-height:18.0pt;background:#F7F7F7;border:none;padding:0cm;outline:0px;border-radius:5px;overflow:auto"><span style="font-size:10.5pt;color:black">cat /proc/net/netfilter/nfnetlink_queue <o:p></o:p></span></pre>
<pre style="mso-margin-top-alt:18.0pt;margin-right:0cm;margin-bottom:18.0pt;margin-left:0cm;line-height:18.0pt;background:#F7F7F7;border:none;padding:0cm"><span style="font-size:10.5pt;color:black"> 40 23948 0 2 65531 0 0 106 1<o:p></o:p></span></pre>
</div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">The content is the following:</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">queue number<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">peer portid: good chance it is process ID of software listening to the queue<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">queue total: current number of packets waiting in the queue<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">copy mode: 0 and 1 only message only provide meta data. If 2 message provide a part of packet of size copy range.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">copy range: length of packet data to put in message<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">queue dropped: number of packets dropped because queue was full<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">user dropped: number of packets dropped because netlink message could not be sent to userspace. If this counter is not zero, try to increase netlink buffer
size. On the application side, you will see gap in packet id if netlink message are lost.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">id sequence: packet id of last packet<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;line-height:16.7pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">1<o:p></o:p></span></p>
<div>
<p class="MsoNormal">I've never tried to run suricata in IPS mode using netfilter queues, but I did run snort for a while like that. I recall that the maximum queue length (on a ubuntu machine, at least) was 5000 packets. You could up this with a sysctl somehow,
but I don't remember the setting offhand.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Peter<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Oct 7, 2015 9:44 AM, "Xavier Romero" <<a href="mailto:XRomero@nexica.com" target="_blank">XRomero@nexica.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">Hello,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">I’m successfully running Suricata (detection mode) for a long time in a dedicated physical machine, processing about 2 Gbps with no problem.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">Now I need to set up another Suricata box for inline mode as a virtual machine (just for 50Mbps), it’s a small VM (CentOS 7, 2 CPUs & 2 GB RAM) but it should
be enough thought. I set up iptables that way:</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas"> </span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">iptables -I FORWARD -j NFQUEUE --queue-bypass --queue-balance 0:1</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">My problem is, when I start Suricata on inline mode, the network throughput drops dramatically… I run internet speed test</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">[15:24:30][admin@test ~]$ ./speedtest-cli</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Retrieving
<a href="http://speedtest.net" target="_blank">speedtest.net</a> configuration...</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Retrieving
<a href="http://speedtest.net" target="_blank">speedtest.net</a> server list...</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Selecting best server based on latency...</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Hosted by masmovil (Madrid) [0.00 km]: 13.574 ms</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Testing download speed........................................</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas;color:red">Download: 602.14 Mbit/s</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Testing upload speed..................................................</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas;color:red">Upload: 136.50 Mbit/s</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas"> </span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">[15:25:02][root@suricata ~]$
<span style="color:red">systemctl start suricata</span></span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas;color:red"> </span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">[15:25:24][admin@test ~]$ ./speedtest-cli</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Retrieving
<a href="http://speedtest.net" target="_blank">speedtest.net</a> configuration...</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Retrieving
<a href="http://speedtest.net" target="_blank">speedtest.net</a> server list...</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Selecting best server based on latency...</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Hosted by masmovil (Madrid) [0.00 km]: 10.948 ms</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Testing download speed........................................</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas;color:red">Download: 14.18 Mbit/s</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas">Testing upload speed..................................................</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:Consolas;color:red">Upload: 3.08 Mbit/s</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">I’ve tried with 1 and 2 queues (-q 0 –q 1), and in both autofp and workers mode, no matter… always same results. Suricata threads does not consume much CPU, so
it does not look like I need more cores.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">Neither dmesg, journctl, /var/log/messages nor suricata logs are complaing about anything.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">I’ve no idea where to look or what to try. Any suggestion will be wellcome.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">Best regards,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">Xavier Romero</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">
http://oisfevents.net</a><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>