<div dir="ltr"><div dir="auto"><div dir="auto">user@suricata:~$ uname -a </div><div dir="auto">Linux suricata 3.16.0-77-generic #99~14.04.1-Ubuntu SMP Tue Jun 28 19:17:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux</div><div dir="auto"><br></div><div dir="auto">Command line:</div><div dir="auto"><div dir="auto">/usr/bin/suricata -c /etc/suricata/suricata.yaml --pid file /var/run/suricata.pid --af-packet -D -vvv</div><div dir="auto"><br></div><div dir="auto">Server specs:</div><div dir="auto">Intel g3258 cpu (2 cores @ 3.2ghz)</div><div dir="auto">8gb ram</div><div dir="auto">Some cheap Realtek gigabit nics for capture, onboard nic for management</div><div dir="auto"><br></div><div>Relevant to capture portions of suricata.yaml:</div><div dir="auto"><div dir="auto">af-packet: </div><div dir="auto"> - interface: p5p1 </div><div dir="auto"> copy-iface: p6p1 </div><div dir="auto"> cluster-id: 98 </div><div dir="auto"> threads: auto </div><div dir="auto"> use-mmap: yes </div><div dir="auto"> rollover: yes </div><div dir="auto"> tpacket-v3: yes </div><div dir="auto"> block-size: 32768 </div><div dir="auto"> copy-mode: ips </div><div dir="auto"> buffer-size: 64535 </div><div dir="auto"> cluster-type: cluster_flow </div><div dir="auto"> defrag: yes </div><div dir="auto"> - interface: p6p1 </div><div dir="auto"> copy-iface: p5p1 </div><div dir="auto"> cluster-id: 97 </div><div dir="auto"> threads: auto </div><div dir="auto"> use-mmap: yes </div><div dir="auto"> rollover: yes </div><div dir="auto"> tpacket-v3: yes </div><div dir="auto"> block-size: 32768 </div><div dir="auto"> copy-mode: ips </div><div dir="auto"> buffer-size: 64535 </div><div dir="auto"> cluster-type: cluster_flow </div><div dir="auto"> defrag: yes </div><div dir="auto"> - interface: default </div><div dir="auto"> threads: auto </div><div dir="auto"> use-mmap: yes </div><div dir="auto"> rollover: yes </div><div dir="auto"> tpacket-v3: yes </div><div dir="auto"> block-size: 32768 </div><div dir="auto"> copy-mode: ips </div><div dir="auto"> buffer-size: 64535 </div><div dir="auto"> cluster-type: cluster_flow </div><div dir="auto"> defrag: yes</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">App-layer section </div><div dir="auto"><div dir="auto"> http: </div><div dir="auto"> enabled: yes </div><div dir="auto"> memcap: 512mb </div><div dir="auto"> libhtp: </div><div dir="auto"> default-config: </div><div dir="auto"> personality: IDS </div><div dir="auto"> request-body-limit: 1gb </div><div dir="auto"> response-body-limit: 1gb </div><div dir="auto"> request-body-minimal-inspect-<wbr>size: 32kb </div><div dir="auto"> request-body-inspect-window: 4kb </div><div dir="auto"> response-body-minimal-<wbr>inspect-size: 40kb </div><div dir="auto"> response-body-inspect-window: 16kb </div><div dir="auto"> response-body-decompress-<wbr>layer-limit: 2 </div><div dir="auto"> http-body-inline: auto </div><div dir="auto"> double-decode-path: no </div><div dir="auto"> double-decode-query: no</div></div></div></div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><div class="gmail_extra" dir="auto">host-mode: auto </div><div class="gmail_extra" dir="auto">max-pending-packets: 2048 </div><div class="gmail_extra" dir="auto">runmode: workers</div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><div class="gmail_extra" dir="auto">defrag: </div><div class="gmail_extra" dir="auto"> memcap: 128mb </div><div class="gmail_extra" dir="auto"> hash-size: 65536 </div><div class="gmail_extra" dir="auto"> trackers: 65535 # number of defragmented flows to follow </div><div class="gmail_extra" dir="auto"> max-frags: 65535 # number of fragments to keep (higher than trackers) </div><div class="gmail_extra" dir="auto"> prealloc: yes </div><div class="gmail_extra" dir="auto"> timeout: 60 </div><div class="gmail_extra" dir="auto">flow: </div><div class="gmail_extra" dir="auto"> memcap: 128mb </div><div class="gmail_extra" dir="auto"> hash-size: 65536 </div><div class="gmail_extra" dir="auto"> prealloc: 10000 </div><div class="gmail_extra" dir="auto"> emergency-recovery: 30</div><div class="gmail_extra" dir="auto"><div class="gmail_extra" dir="auto">stream: </div><div class="gmail_extra" dir="auto"> memcap: 128mb </div><div class="gmail_extra" dir="auto"> checksum-validation: yes # reject wrong csums </div><div class="gmail_extra" dir="auto"> inline: yes # auto will use inline mode in IPS mode, yes or no set it statically </div><div class="gmail_extra" dir="auto"> reassembly: </div><div class="gmail_extra" dir="auto"> memcap: 256mb </div><div class="gmail_extra" dir="auto"> depth: 0 # reassemble 1mb into a stream </div><div class="gmail_extra" dir="auto"> toserver-chunk-size 2560</div><div class="gmail_extra" dir="auto"> toclient-chunk-size: 2560 </div><div class="gmail_extra" dir="auto"> randomize-chunk-size: yes</div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra">A lot of those config settings were copied over from my old 3.0 config.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Peter</div></div></div></div><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">On Feb 4, 2017 5:10 PM, "Andreas Herz" <<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>> wrote:<br type="attribution"><blockquote class="m_1101715047765488190m_-4892947835558042975quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_1101715047765488190m_-4892947835558042975quoted-text">On 04/02/17 at 16:59, Peter Fyon wrote:<br>
> Yes, IPS mode inline using af-packet, Ubuntu 14.04.<br>
<br>
</div>How do you run it exactly? Paste the command line please.<br>
<br>
Also add relevant sections you changed/added to the config.<br>
<br>
Also the hardware specs and network infos.<br>
<br>
What kernel is used?<br>
<div class="m_1101715047765488190m_-4892947835558042975elided-text"><br>
> Peter<br>
><br>
> On Feb 4, 2017 4:57 PM, "Andreas Herz" <<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>> wrote:<br>
><br>
> On 04/02/17 at 16:47, Peter Fyon wrote:<br>
> > When I was running 3.0, I was using workers runmode with few issues. I<br>
> > upgraded to 3.2 this week and my ping times went from ~ 30ms to<br>
> ~150-200ms.<br>
><br>
> How do you run suricata and on what system?<br>
> Since you see latency issues I would guess IPS mode but there are some<br>
> :)<br>
><br>
> --<br>
> Andreas Herz<br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/ois<wbr>f-users</a><br>
<br>
--<br>
Andreas Herz<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/ois<wbr>f-users</a><br>
</div></blockquote></div> </div></div>
</div>