<div dir="ltr">Hi,<div><br></div><div>I have capture problems with a Suricata 3.0.1. I'd appreciate some ideas on this.</div><div><br></div><div>I suspect it has to do with my Suricata configuration. The traffic is sent to the sensor via an f5 clone pool.</div><div>( <a href="https://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html">https://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html</a> ) . </div><div><br></div><div>* The traffic is copied into an IDS VLan and received on an interface. The MAC address is rewritten. </div><div>A packet looks like this:</div><div><a href="https://drive.google.com/file/d/0BwyhoK4VyctFWWN6LVlTdjdIT00/view">https://drive.google.com/file/d/0BwyhoK4VyctFWWN6LVlTdjdIT00/view</a> <br></div><div><br></div><div>* With the clone pools we can get SSL offloaded traffic from the LBs. Suri doesn't do SSL decryption.<br></div><div><br></div><div>On the sensor my interface config is:</div><div><div>enp17s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000</div><div>        inet 192.168.99.94  netmask 255.255.255.0  broadcast 192.168.99.255</div></div><div><br></div><div>* The interface is not set in promiscuous mode, because it receives the traffic directly via the MAC.</div><div><br></div><div>The rules, which indicate an error, are mostly stream engine related:</div><div>SURICATA STREAM 3way handshake with ack in wrong dir [Classification: (null)]<br></div><div>SURICATA STREAM ESTABLISHED packet out of window <br></div><div>SURICATA STREAM ESTABLISHED invalid ack<br></div><div>SURICATA STREAM Packet with invalid ack<br></div><div>SURICATA STREAM FIN invalid ack<br></div><div><br></div><div>* these alerts go wild</div><div>* I also get valid alerts for TOR IPs and some XSS. However that is a fraction.<br></div><div><br></div><div>* the stats.log:</div><div><div><div>------------------------------------------------------------------------------------</div><div>Date: 7/12/2016 -- 19:22:01 (uptime: 0d, 00h 26m 35s)</div><div>------------------------------------------------------------------------------------</div><div>Counter                                    | TM Name                   | Value</div><div>------------------------------------------------------------------------------------</div><div>capture.kernel_packets                     | Total                     | 49950854</div><div>capture.kernel_drops                       | Total                     | 38149996</div><div>decoder.pkts                               | Total                     | 11664420</div><div>decoder.bytes                              | Total                     | 5930632578</div><div>decoder.ipv4                               | Total                     | 11664416</div><div>decoder.ethernet                           | Total                     | 11664420</div><div>decoder.tcp                                | Total                     | 11664416</div><div>decoder.avg_pkt_size                       | Total                     | 508</div><div>decoder.max_pkt_size                       | Total                     | 1566</div><div>tcp.sessions                               | Total                     | 568197</div><div>tcp.pseudo                                 | Total                     | 29014</div><div>tcp.syn                                    | Total                     | 593612</div><div>tcp.synack                                 | Total                     | 522806</div><div>tcp.rst                                    | Total                     | 9906</div><div>tcp.segment_memcap_drop                    | Total                     | 36066</div><div>tcp.stream_depth_reached                   | Total                     | 24</div><div>tcp.reassembly_gap                         | Total                     | 159155</div><div>detect.alert                               | Total                     | 2041259</div><div>flow_mgr.closed_pruned                     | Total                     | 104504</div><div>flow_mgr.new_pruned                        | Total                     | 773441</div><div>flow.spare                                 | Total                     | 20560</div><div>flow.tcp_reuse                             | Total                     | 2032</div><div>tcp.memuse                                 | Total                     | 52727808</div><div>tcp.reassembly_memuse                      | Total                     | 2147483622</div><div>http.memuse                                | Total                     | 222223958</div><div>flow.memuse                                | Total                     | 96075664</div><div>                                                                                                   </div></div></div><div><br></div><div>* My suspicion is that my config has a problem, because suri does not utilize memory or CPU a lot. The machine is almost idle.<br></div><div>* Peak is 20 MB per second - nothing extra ordinary here</div><div><br></div><div>I use af-packet in Suri:<br></div><div><br></div><div><div>af-packet:<br></div><div>  - interface: enp17s0f1</div><div>    threads: 1</div><div>    cluster-id: 99</div><div>    cluster-type: cluster_flow</div><div>    defrag: yes</div><div>    # 12 GB, machine has 32 GB</div><div>    buffer-size: 12884901888<br></div><div>    disable-promisc: yes<br></div><div>    use-mmap: yes<br></div><div>    checksum-checks: auto</div></div><div><br></div><div><div>defrag:</div><div>  max-frags: 65535</div><div>  prealloc: yes</div><div>  timeout: 120</div></div><div><br></div><div># had no effect</div><div><div>vlan:</div><div>  use-for-tracking: false</div></div><div><br></div><div><div>stream:</div><div>  memcap: 4096mb</div><div>  # had no effect</div><div> checksum-validation: yes      # reject wrong csums</div><div>  inline: no                    # no inline mode</div><div>  reassembly:</div><div>    memcap: 2048mb</div><div>    depth: 1mb                  # reassemble 1mb into a stream</div><div>    toserver-chunk-size: 2560</div><div>    toclient-chunk-size: 2560</div><div># I am unsure about these  </div><div># midstream: true</div><div>  # async-oneside: true</div><div> # also no effect:</div><div>  max-synack-queued: 10</div></div><div><br></div><div>* suri produces PCAPs, and logs. The engine is stable. But somehow the cap (and match) processes don't work.</div><div>I'm not sure where to look next.</div><div><br></div><div><br></div><div>Best,</div><div>Marius</div></div>