<html><head></head><body>Thanks.<div><br></div><div>We will try if we can SSH into the appliance when it was in this condition.</div><div><br></div><div>I don't know if it makes a difference but we had upgraded Suricata to version 2.0.11 about 2 to 3 days before this incident was reported to us. We had also compiled it with geoIP, JSON, and LUA support when we did the upgrade.<br><br><font face="Arial"><font size="2">Leonard</font><br></font><br><br><br><div><strong>
From:
</strong>
Victor Julien <lists@inliniac.net>
<br>
<strong>
To:
</strong>
<oisf-users@lists.openinfosecfoundation.org>
<br>
<strong>
Sent:
</strong>
1/27/2016 2:59 AM
<br>
<strong>
Subject:
</strong>
Re: [Oisf-users] Suricata and DDoS Attack
<br><br><blockquote class="mori" style="margin:0 0 0 .8ex;border-left:1px solid #CCC;padding-left:1ex;">On 27-01-16 03:00, Leonard Jacobs wrote:<br>> With one of the networks we monitor, the ISP was under a DDoS attack<br>> yesterday. It appears that Suricata kept functioning the whole time the<br>> attack was occurring because we kept seeing events. However, somewhere<br>> along the way the IPS appeared to lock up. The appliance was rebooted<br>> and everything came back to normal.<br>><br>> We run the IPS in AF-Packet mode. The actual network we monitor was not<br>> directly under the DDoS attack but slow Internet response times was<br>> experienced.<br>><br>> Is it possible that Suricata was experiencing some resource exhaustion?<br>> Logs did not show anything wrong.<br><br>Hard to say without more info. If it would happen again before killing <br>Suricata, could you attach to with gdb and create a back trace?<br><br>gdb --attach $(pidof suricata)<br><br>then inside gdb<br><br>(gdb) set logging on<br>(gdb) thread apply all bt<br><br><br>Then press return till you get back to the prompt. Then type quit. This <br>process has created a gdb.txt file containing a copy of the output that <br>describe the state of the different threads. You can then attach this <br>file to the bug report.<br><br>-- <br>---------------------------------------------<br>Victor Julien<br>http://www.inliniac.net/<br>PGP: http://www.inliniac.net/victorjulien.asc<br>---------------------------------------------<br><br>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net</blockquote></div></div></body></html>