<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I am running PF_RING as well and I've noticed that you dont want to spin up more detect threads than number of logical CPUs that you have.<div>Unless you have 76 logical CPUs, I would recommend reducing that.</div><div>Also, if you have any packet loss, then number of alerts would go down.</div><div><br></div><div>BTW, I've used Snort before and now I am getting more alerts with Suricata than before. <br><br><div>> From: dsprans@emory.edu<br>> To: petermanev@gmail.com<br>> Date: Fri, 23 Oct 2015 13:14:20 +0000<br>> CC: oisf-users@lists.openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort<br>> <br>> Hi Peter,<br>> <br>> Here's the output:<br>> <br>> filename: /lib/modules/3.10.0-229.7.2.el7.x86_64/extra/pf_ring.ko<br>> alias: net-pf-27<br>> description: Packet capture acceleration and analysis<br>> author: ntop.org<br>> license: GPL<br>> rhelversion: 7.1<br>> srcversion: 2529895847C1F1B8C2B43D8<br>> depends: <br>> vermagic: 3.10.0-229.7.2.el7.x86_64 SMP mod_unload modversions <br>> parm: min_num_slots:Min number of ring slots (uint)<br>> parm: perfect_rules_hash_size:Perfect rules hash size (uint)<br>> parm: transparent_mode:(deprecated) (uint)<br>> parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint)<br>> parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)<br>> parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)<br>> parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)<br>> parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)<br>> PF_RING Version : 6.0.3 (6.0.3-stable:8994076d9761315040ed29a0d5825cb74c20c078)<br>> Total rings : 0<br>> <br>> Standard (non DNA/ZC) Options<br>> Ring slots : 4096<br>> Slot version : 16<br>> Capture TX : Yes [RX+TX]<br>> IP Defragment : No<br>> Socket Mode : Standard<br>> Total plugins : 0<br>> Cluster Fragment Queue : 0<br>> Cluster Fragment Discard : 0<br>> <br>> The interface we're using:<br>> Name: enp2s0f0<br>> Index: 6<br>> Address: 90:E2:BA:--:--:--<br>> Polling Mode: NAPI/ZC<br>> Type: Ethernet<br>> Family: Intel ixgbe 82599<br>> Max # TX Queues: 1<br>> # Used RX Queues: 1<br>> Num RX Slots: 8192<br>> Num TX Slots: 8192<br>> <br>> On this box we're spinning up 73 detect threads and 3 management threads<br>> <br>> Thanks,<br>> Derek<br>> ________________________________________<br>> From: Peter Manev <petermanev@gmail.com><br>> Sent: Friday, October 23, 2015 3:32 AM<br>> To: Spransy, Derek<br>> Cc: oisf-users@lists.openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort<br>> <br>> On Thu, Oct 22, 2015 at 8:39 PM, Spransy, Derek <dsprans@emory.edu> wrote:<br>> > Hi Peter,<br>> ><br>> > It is currently set to 60,000<br>> <br>> Hi Derek,<br>> <br>> What is the output of -<br>> modinfo pf_ring && cat /proc/net/pf_ring/info<br>> <br>> How many threads do you use (per interfaces?)?<br>> <br>> <br>> Thank you<br>> <br>> > ________________________________________<br>> > From: Peter Manev <petermanev@gmail.com><br>> > Sent: Thursday, October 22, 2015 2:33 PM<br>> > To: Spransy, Derek<br>> > Cc: Cooper F. Nelson; oisf-users@lists.openinfosecfoundation.org<br>> > Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort<br>> ><br>> >> On 22 okt. 2015, at 20:28, Spransy, Derek <dsprans@emory.edu> wrote:<br>> >><br>> >> Hi Cooper,<br>> >><br>> >> Thanks for the suggestions. We're using pfring autofp mode (using ZC drivers) rather than AF_Packet, though I could try that configuration. RSS is, I believe, disabled in ZC mode. I haven't seen a lot of documentation out there about using PF_RING ZC drivers, so perhaps I've missed something in that regard.<br>> >><br>> >> Also we are using Suricata optimized rules:<br>> >> ** GET http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz ==> 200 OK (1s)<br>> >><br>> >> I disabled NIC offloading features for that interface as well, but it doesn't appear to have made any significant difference.<br>> >><br>> ><br>> > What is your max pending packets value (in suricata.yaml)?<br>> ><br>> ><br>> >> Thanks,<br>> >> Derek<br>> >> ________________________________________<br>> >> From: Cooper F. Nelson <cnelson@ucsd.edu><br>> >> Sent: Thursday, October 22, 2015 1:52 PM<br>> >> To: Spransy, Derek; oisf-users@lists.openinfosecfoundation.org<br>> >> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort<br>> >><br>> >> -----BEGIN PGP SIGNED MESSAGE-----<br>> >> Hash: SHA1<br>> >><br>> >> I experienced the exact opposite effect migrating from snort to<br>> >> suricata, so I think something is wrong with your deployment.<br>> >><br>> >> First off, have you tried the latest version of suricata using 'workers'<br>> >> runmode with zero-copy/AF_PACKET mode? Details described here:<br>> >><br>> >>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/<br>> >><br>> >> Make sure all NIC offloading features are disabled as per this article<br>> >><br>> >>> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html<br>> >><br>> >> As a sanity check, are you sure you are using a ruleset tuned for<br>> >> suricata, like this?<br>> >><br>> >>> https://rules.emergingthreats.net/open/suricata/<br>> >><br>> >> - -Coop<br>> >><br>> >><br>> >>> On 10/22/2015 10:43 AM, Spransy, Derek wrote:<br>> >>> I would have expected just the opposite as our Snort box is more<br>> >>> underpowered and has a higher packet drop rate. Can anyone point me in a<br>> >>> direction to troubleshoot? Generally our packet drops seems to be<br>> >>> relatively low, (~2%) on the Suricata system. However, I don't know how<br>> >>> accurate these are as sometimes Suricata reports packet drop percentages<br>> >>> higher than 100%, which in itself seems really rather odd.<br>> >>><br>> >>> Thanks,<br>> >>> Derek<br>> >>><br>> >>> ------------------------------------------------------------------------<br>> >><br>> >><br>> >> - --<br>> >> Cooper Nelson<br>> >> Network Security Analyst<br>> >> UCSD ACT Security Team<br>> >> cnelson@ucsd.edu x41042<br>> >> -----BEGIN PGP SIGNATURE-----<br>> >> Version: GnuPG v2.0.17 (MingW32)<br>> >><br>> >> iQEcBAEBAgAGBQJWKSJwAAoJEKIFRYQsa8FWvfEIAJzq7yqdbqJH7CoBh/e7VE97<br>> >> MOxi8KMvw2BgmBW9+X188+U6znjgWGa2ebk4Fh2XrUAD6Qau7KW5omCJyGIj2Eof<br>> >> Bq5kpg6+thRKx++hMuXESU/k/RDLJRK7nLtUcgOcvizYRG4RS+ZajgMhg0NsK5nZ<br>> >> u2xS02AhHTxhWe22ejdFh7Uu3dfXQApCQbubCJS/AbVNOSln51OpxSq5jpLBDFu5<br>> >> t4Xxx2INFP+TLa1twPzk7WtSvWlnYPGgHLwsyr4nURuusydd47xUP++mRFzdC6Is<br>> >> 5KAb3i+XuY1TqZ9gI3+QoEdUOK319z8dzbNnYGpO8A/NmI0YDe8rTqdLSFeI6l8=<br>> >> =IRyb<br>> >> -----END PGP SIGNATURE-----<br>> >><br>> >> ________________________________<br>> >><br>> >> This e-mail message (including any attachments) is for the sole use of<br>> >> the intended recipient(s) and may contain confidential and privileged<br>> >> information. If the reader of this message is not the intended<br>> >> recipient, you are hereby notified that any dissemination, distribution<br>> >> or copying of this message (including any attachments) is strictly<br>> >> prohibited.<br>> >><br>> >> If you have received this message in error, please contact<br>> >> the sender by reply e-mail message and destroy all copies of the<br>> >> original message (including attachments).<br>> >> _______________________________________________<br>> >> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> >> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net<br>> <br>> <br>> <br>> --<br>> Regards,<br>> Peter Manev<br>> _______________________________________________<br>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net<br></div></div> </div></body>
</html>