
<div dir="ltr">Sure.<div><br></div><div>* here is the verbose suricata.log <a href="http://pastebin.com/WSWe0xac">http://pastebin.com/WSWe0xac</a> <br></div><div>* here is the stats.log from a 5 minute run <a href="https://drive.google.com/file/d/0BwyhoK4VyctFRy11elNQTWVvWmM/view">https://drive.google.com/file/d/0BwyhoK4VyctFRy11elNQTWVvWmM/view</a> </div><div><br></div><div><br></div><div>The STREAM alerts do not start immediately. But the frequency is >300 STREAM alerts per second, so that I cannot run the sensor with these rules. </div><div><br></div><div>Best,</div><div>Marius</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 12 July 2016 at 20:58, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tue, Jul 12, 2016 at 10:42 PM, Marius <<a href="mailto:wishinet@gmail.com">wishinet@gmail.com</a>> wrote:<br>

> For reference here is my NIC init script.<br>

> The linked wiki page mentions that issues like this can be related to the<br>

> NIC queues and a changed packet order.<br>

> Would it be safe to ignore these rules then?<br>

><br>

><br>

> ethtool -K enp17s0f1 tso off<br>

> ethtool -K enp17s0f1 gro off<br>

> ethtool -K enp17s0f1 ufo off<br>

> ethtool -K enp17s0f1 lro off<br>

> ethtool -K enp17s0f1 gso off<br>

> ethtool -K enp17s0f1 rx off<br>

> ethtool -K enp17s0f1 tx off<br>

> ethtool -K enp17s0f1 sg off<br>

> ethtool -K enp17s0f1 rxvlan off<br>

> ethtool -K enp17s0f1 txvlan off<br>

> ethtool -N enp17s0f1 rx-flow-hash udp4 sdfn<br>

> ethtool -N enp17s0f1 rx-flow-hash udp6 sdfn<br>

> ethtool -C enp17s0f1 rx-usecs 1 rx-frames 0<br>

> ethtool -C enp17s0f1 adaptive-rx off<br>

> ethtool -L enp17s0f1 combined 1<br>

><br>

><br>

> ethtool -l enp17s0f1<br>

> Channel parameters for enp17s0f1:<br>

> Pre-set maximums:<br>

> RX:             0<br>

> TX:             0<br>

> Other:          1<br>

> Combined:       63<br>

> Current hardware settings:<br>

> RX:             0<br>

> TX:             0<br>

> Other:          1<br>

> Combined:       1<br>

><br>

> modinfo ixgbe<br>

> filename:<br>

> /lib/modules/4.0.5-gentoo/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko<br>

> version:        4.0.1-k<br>

><br>

> NIC is:<br>

> Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection<br>

><br>

><br>

<br>

</div></div>Can you share the last update in your stats.log<br>

and  suricata.log with verbose output.<br>

(on pastebin or similar if you prefer)<br>

<div><div class="h5"><br>

><br>

> On 12 July 2016 at 20:16, Marius <<a href="mailto:mciepluch@web.de">mciepluch@web.de</a>> wrote:<br>

>><br>

>> I'm on 4.0.5-gentoo.<br>

>><br>

>><br>

>> On 12 July 2016 at 20:01, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>

>>><br>

>>> On 12-07-16 21:55, Cooper F. Nelson wrote:<br>

>>> > What kernel version are you using?<br>

>>> ><br>

>>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS<br>

>>> > implementation.  I was seeing those issues and reverting to the 4.1<br>

>>> > release fixed it.<br>

>>><br>

>>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the<br>

>>> fix will be backported to stable kernels.<br>

>>><br>

>>> This post may be helpful as well<br>

>>><br>

>>> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture</a><br>

>>><br>

>>><br>

>>> ><br>

>>> > -Coop<br>

>>> ><br>

>>> > On 7/12/2016 12:46 PM, Marius wrote:<br>

>>> >> The rules, which indicate an error, are mostly stream engine related:<br>

>>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:<br>

>>> >> (null)]<br>

>>> >> SURICATA STREAM ESTABLISHED packet out of window<br>

>>> >> SURICATA STREAM ESTABLISHED invalid ack<br>

>>> >> SURICATA STREAM Packet with invalid ack<br>

>>> >> SURICATA STREAM FIN invalid ack<br>

>>> ><br>

>>> ><br>

>>> ><br>

>>> ><br>

>>> > _______________________________________________<br>

>>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

>>> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>

>>> > <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

>>> > List:<br>

>>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

>>> > Suricata User Conference November 9-11 in Washington, DC:<br>

>>> > <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>

>>> ><br>

>>><br>

>>><br>

>>> --<br>

>>> ---------------------------------------------<br>

>>> Victor Julien<br>

>>> <a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>

>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>

>>> ---------------------------------------------<br>

>>><br>

>>> _______________________________________________<br>

>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

>>> Suricata User Conference November 9-11 in Washington, DC:<br>

>>> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>

>><br>

>><br>

>><br>

>> On 12 July 2016 at 20:01, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>

>>><br>

>>> On 12-07-16 21:55, Cooper F. Nelson wrote:<br>

>>> > What kernel version are you using?<br>

>>> ><br>

>>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS<br>

>>> > implementation.  I was seeing those issues and reverting to the 4.1<br>

>>> > release fixed it.<br>

>>><br>

>>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the<br>

>>> fix will be backported to stable kernels.<br>

>>><br>

>>> This post may be helpful as well<br>

>>><br>

>>> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture</a><br>

>>><br>

>>><br>

>>> ><br>

>>> > -Coop<br>

>>> ><br>

>>> > On 7/12/2016 12:46 PM, Marius wrote:<br>

>>> >> The rules, which indicate an error, are mostly stream engine related:<br>

>>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:<br>

>>> >> (null)]<br>

>>> >> SURICATA STREAM ESTABLISHED packet out of window<br>

>>> >> SURICATA STREAM ESTABLISHED invalid ack<br>

>>> >> SURICATA STREAM Packet with invalid ack<br>

>>> >> SURICATA STREAM FIN invalid ack<br>

>>> ><br>

>>> ><br>

>>> ><br>

>>> ><br>

>>> > _______________________________________________<br>

>>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

>>> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>

>>> > <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

>>> > List:<br>

>>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

>>> > Suricata User Conference November 9-11 in Washington, DC:<br>

>>> > <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>

>>> ><br>

>>><br>

>>><br>

>>> --<br>

>>> ---------------------------------------------<br>

>>> Victor Julien<br>

>>> <a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>

>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>

>>> ---------------------------------------------<br>

>>><br>

>>> _______________________________________________<br>

>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

>>> Suricata User Conference November 9-11 in Washington, DC:<br>

>>> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>

>><br>

>><br>

><br>

><br>

> _______________________________________________<br>

> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

> Suricata User Conference November 9-11 in Washington, DC:<br>

> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>

<br>

<br>

<br>

--<br>

</div></div>Regards,<br>

Peter Manev<br>

</blockquote></div><br></div>