<div dir="ltr">Sure.<div><br></div><div>* here is the verbose suricata.log <a href="http://pastebin.com/WSWe0xac">http://pastebin.com/WSWe0xac</a> <br></div><div>* here is the stats.log from a 5 minute run <a href="https://drive.google.com/file/d/0BwyhoK4VyctFRy11elNQTWVvWmM/view">https://drive.google.com/file/d/0BwyhoK4VyctFRy11elNQTWVvWmM/view</a> </div><div><br></div><div><br></div><div>The STREAM alerts do not start immediately. But the frequency is >300 STREAM alerts per second, so that I cannot run the sensor with these rules. </div><div><br></div><div>Best,</div><div>Marius</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 12 July 2016 at 20:58, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tue, Jul 12, 2016 at 10:42 PM, Marius <<a href="mailto:wishinet@gmail.com">wishinet@gmail.com</a>> wrote:<br>
> For reference here is my NIC init script.<br>
> The linked wiki page mentions that issues like this can be related to the<br>
> NIC queues and a changed packet order.<br>
> Would it be safe to ignore these rules then?<br>
><br>
><br>
> ethtool -K enp17s0f1 tso off<br>
> ethtool -K enp17s0f1 gro off<br>
> ethtool -K enp17s0f1 ufo off<br>
> ethtool -K enp17s0f1 lro off<br>
> ethtool -K enp17s0f1 gso off<br>
> ethtool -K enp17s0f1 rx off<br>
> ethtool -K enp17s0f1 tx off<br>
> ethtool -K enp17s0f1 sg off<br>
> ethtool -K enp17s0f1 rxvlan off<br>
> ethtool -K enp17s0f1 txvlan off<br>
> ethtool -N enp17s0f1 rx-flow-hash udp4 sdfn<br>
> ethtool -N enp17s0f1 rx-flow-hash udp6 sdfn<br>
> ethtool -C enp17s0f1 rx-usecs 1 rx-frames 0<br>
> ethtool -C enp17s0f1 adaptive-rx off<br>
> ethtool -L enp17s0f1 combined 1<br>
><br>
><br>
> ethtool -l enp17s0f1<br>
> Channel parameters for enp17s0f1:<br>
> Pre-set maximums:<br>
> RX:             0<br>
> TX:             0<br>
> Other:          1<br>
> Combined:       63<br>
> Current hardware settings:<br>
> RX:             0<br>
> TX:             0<br>
> Other:          1<br>
> Combined:       1<br>
><br>
> modinfo ixgbe<br>
> filename:<br>
> /lib/modules/4.0.5-gentoo/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko<br>
> version:        4.0.1-k<br>
><br>
> NIC is:<br>
> Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection<br>
><br>
><br>
<br>
</div></div>Can you share the last update in your stats.log<br>
and  suricata.log with verbose output.<br>
(on pastebin or similar if you prefer)<br>
<div><div class="h5"><br>
><br>
> On 12 July 2016 at 20:16, Marius <<a href="mailto:mciepluch@web.de">mciepluch@web.de</a>> wrote:<br>
>><br>
>> I'm on 4.0.5-gentoo.<br>
>><br>
>><br>
>> On 12 July 2016 at 20:01, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>
>>><br>
>>> On 12-07-16 21:55, Cooper F. Nelson wrote:<br>
>>> > What kernel version are you using?<br>
>>> ><br>
>>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS<br>
>>> > implementation.  I was seeing those issues and reverting to the 4.1<br>
>>> > release fixed it.<br>
>>><br>
>>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the<br>
>>> fix will be backported to stable kernels.<br>
>>><br>
>>> This post may be helpful as well<br>
>>><br>
>>> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture</a><br>
>>><br>
>>><br>
>>> ><br>
>>> > -Coop<br>
>>> ><br>
>>> > On 7/12/2016 12:46 PM, Marius wrote:<br>
>>> >> The rules, which indicate an error, are mostly stream engine related:<br>
>>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:<br>
>>> >> (null)]<br>
>>> >> SURICATA STREAM ESTABLISHED packet out of window<br>
>>> >> SURICATA STREAM ESTABLISHED invalid ack<br>
>>> >> SURICATA STREAM Packet with invalid ack<br>
>>> >> SURICATA STREAM FIN invalid ack<br>
>>> ><br>
>>> ><br>
>>> ><br>
>>> ><br>
>>> > _______________________________________________<br>
>>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>>> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>
>>> > <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>>> > List:<br>
>>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> > Suricata User Conference November 9-11 in Washington, DC:<br>
>>> > <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
>>> ><br>
>>><br>
>>><br>
>>> --<br>
>>> ---------------------------------------------<br>
>>> Victor Julien<br>
>>> <a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
>>> ---------------------------------------------<br>
>>><br>
>>> _______________________________________________<br>
>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> Suricata User Conference November 9-11 in Washington, DC:<br>
>>> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
>><br>
>><br>
>><br>
>> On 12 July 2016 at 20:01, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>
>>><br>
>>> On 12-07-16 21:55, Cooper F. Nelson wrote:<br>
>>> > What kernel version are you using?<br>
>>> ><br>
>>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS<br>
>>> > implementation.  I was seeing those issues and reverting to the 4.1<br>
>>> > release fixed it.<br>
>>><br>
>>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the<br>
>>> fix will be backported to stable kernels.<br>
>>><br>
>>> This post may be helpful as well<br>
>>><br>
>>> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture</a><br>
>>><br>
>>><br>
>>> ><br>
>>> > -Coop<br>
>>> ><br>
>>> > On 7/12/2016 12:46 PM, Marius wrote:<br>
>>> >> The rules, which indicate an error, are mostly stream engine related:<br>
>>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:<br>
>>> >> (null)]<br>
>>> >> SURICATA STREAM ESTABLISHED packet out of window<br>
>>> >> SURICATA STREAM ESTABLISHED invalid ack<br>
>>> >> SURICATA STREAM Packet with invalid ack<br>
>>> >> SURICATA STREAM FIN invalid ack<br>
>>> ><br>
>>> ><br>
>>> ><br>
>>> ><br>
>>> > _______________________________________________<br>
>>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>>> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>
>>> > <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>>> > List:<br>
>>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> > Suricata User Conference November 9-11 in Washington, DC:<br>
>>> > <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
>>> ><br>
>>><br>
>>><br>
>>> --<br>
>>> ---------------------------------------------<br>
>>> Victor Julien<br>
>>> <a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
>>> ---------------------------------------------<br>
>>><br>
>>> _______________________________________________<br>
>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> Suricata User Conference November 9-11 in Washington, DC:<br>
>>> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
>><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 9-11 in Washington, DC:<br>
> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
<br>
<br>
<br>
--<br>
</div></div>Regards,<br>
Peter Manev<br>
</blockquote></div><br></div>