<div dir="ltr"><div dir="auto"><div dir="auto">user@suricata:~$ uname -a                                                                                              </div><div dir="auto">Linux suricata 3.16.0-77-generic #99~14.04.1-Ubuntu SMP Tue Jun 28 19:17:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux</div><div dir="auto"><br></div><div dir="auto">Command line:</div><div dir="auto"><div dir="auto">/usr/bin/suricata -c /etc/suricata/suricata.yaml --pid file /var/run/suricata.pid --af-packet -D -vvv</div><div dir="auto"><br></div><div dir="auto">Server specs:</div><div dir="auto">Intel g3258 cpu (2 cores @ 3.2ghz)</div><div dir="auto">8gb ram</div><div dir="auto">Some cheap Realtek gigabit nics for capture, onboard nic for management</div><div dir="auto"><br></div><div>Relevant to capture portions of suricata.yaml:</div><div dir="auto"><div dir="auto">af-packet:                                                                                                              </div><div dir="auto">  - interface: p5p1                                                                                                     </div><div dir="auto">    copy-iface: p6p1                                                                                                    </div><div dir="auto">    cluster-id: 98                                                                                                      </div><div dir="auto">    threads: auto                                                                                                       </div><div dir="auto">    use-mmap: yes                                                                                                       </div><div dir="auto">    rollover: yes                                                                                                       </div><div dir="auto">    tpacket-v3: yes                                                                                                     </div><div dir="auto">    block-size: 32768                                                                                                   </div><div dir="auto">    copy-mode: ips                                                                                                      </div><div dir="auto">    buffer-size: 64535                                                                                                  </div><div dir="auto">    cluster-type: cluster_flow                                                                                          </div><div dir="auto">    defrag: yes                                                                                                         </div><div dir="auto">  - interface: p6p1                                                                                                     </div><div dir="auto">    copy-iface: p5p1                                                                                                    </div><div dir="auto">    cluster-id: 97                                                                                                      </div><div dir="auto">    threads: auto                                                                                                       </div><div dir="auto">    use-mmap: yes                                                                                                       </div><div dir="auto">    rollover: yes                                                                                                       </div><div dir="auto">    tpacket-v3: yes                                                                                                     </div><div dir="auto">    block-size: 32768                                                                                                   </div><div dir="auto">    copy-mode: ips                                                                                                      </div><div dir="auto">    buffer-size: 64535                                                                                                  </div><div dir="auto">    cluster-type: cluster_flow                                                                                          </div><div dir="auto">    defrag: yes                                                                                                         </div><div dir="auto">  - interface: default                                                                                                  </div><div dir="auto">    threads: auto                                                                                                       </div><div dir="auto">    use-mmap: yes                                                                                                       </div><div dir="auto">    rollover: yes                                                                                                       </div><div dir="auto">    tpacket-v3: yes                                                                                                     </div><div dir="auto">    block-size: 32768                                                                                                   </div><div dir="auto">    copy-mode: ips                                                                                                      </div><div dir="auto">    buffer-size: 64535                                                                                                  </div><div dir="auto">    cluster-type: cluster_flow                                                                                          </div><div dir="auto">    defrag: yes</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">App-layer section </div><div dir="auto"><div dir="auto">   http:                                                                                                               </div><div dir="auto">      enabled: yes                                                                                                      </div><div dir="auto">      memcap: 512mb                                                                                                     </div><div dir="auto">      libhtp:                                                                                                           </div><div dir="auto">         default-config:                                                                                                </div><div dir="auto">           personality: IDS                                                                                             </div><div dir="auto">           request-body-limit: 1gb                                                                                      </div><div dir="auto">           response-body-limit: 1gb                                                                                     </div><div dir="auto">           request-body-minimal-inspect-<wbr>size: 32kb                                                                      </div><div dir="auto">           request-body-inspect-window: 4kb                                                                             </div><div dir="auto">           response-body-minimal-<wbr>inspect-size: 40kb                                                                     </div><div dir="auto">           response-body-inspect-window: 16kb                                                                           </div><div dir="auto">           response-body-decompress-<wbr>layer-limit: 2                                                                      </div><div dir="auto">           http-body-inline: auto                                                                                       </div><div dir="auto">           double-decode-path: no                                                                                       </div><div dir="auto">           double-decode-query: no</div></div></div></div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><div class="gmail_extra" dir="auto">host-mode: auto                                                                                                         </div><div class="gmail_extra" dir="auto">max-pending-packets: 2048                                                                                               </div><div class="gmail_extra" dir="auto">runmode: workers</div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><div class="gmail_extra" dir="auto">defrag:                                                                                                                 </div><div class="gmail_extra" dir="auto">  memcap: 128mb                                                                                                         </div><div class="gmail_extra" dir="auto">  hash-size: 65536                                                                                                      </div><div class="gmail_extra" dir="auto">  trackers: 65535 # number of defragmented flows to follow                                                              </div><div class="gmail_extra" dir="auto">  max-frags: 65535 # number of fragments to keep (higher than trackers)                                                 </div><div class="gmail_extra" dir="auto">  prealloc: yes                                                                                                         </div><div class="gmail_extra" dir="auto">  timeout: 60                                                                                                           </div><div class="gmail_extra" dir="auto">flow:                                                                                                                   </div><div class="gmail_extra" dir="auto">  memcap: 128mb                                                                                                         </div><div class="gmail_extra" dir="auto">  hash-size: 65536                                                                                                      </div><div class="gmail_extra" dir="auto">  prealloc: 10000                                                                                                       </div><div class="gmail_extra" dir="auto">  emergency-recovery: 30</div><div class="gmail_extra" dir="auto"><div class="gmail_extra" dir="auto">stream:                                                                                                                 </div><div class="gmail_extra" dir="auto">  memcap: 128mb                                                                                                         </div><div class="gmail_extra" dir="auto">  checksum-validation: yes      # reject wrong csums                                                                    </div><div class="gmail_extra" dir="auto">  inline: yes                  # auto will use inline mode in IPS mode, yes or no set it statically                     </div><div class="gmail_extra" dir="auto">  reassembly:                                                                                                           </div><div class="gmail_extra" dir="auto">    memcap: 256mb                                                                                                       </div><div class="gmail_extra" dir="auto">    depth: 0                  # reassemble 1mb into a stream                                                            </div><div class="gmail_extra" dir="auto">    toserver-chunk-size 2560</div><div class="gmail_extra" dir="auto">    toclient-chunk-size: 2560                             </div><div class="gmail_extra" dir="auto">    randomize-chunk-size: yes</div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra">A lot of those config settings were copied over from my old 3.0 config.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Peter</div></div></div></div><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">On Feb 4, 2017 5:10 PM, "Andreas Herz" <<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>> wrote:<br type="attribution"><blockquote class="m_1101715047765488190m_-4892947835558042975quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_1101715047765488190m_-4892947835558042975quoted-text">On 04/02/17 at 16:59, Peter Fyon wrote:<br>
> Yes, IPS mode inline using af-packet, Ubuntu 14.04.<br>
<br>
</div>How do you run it exactly? Paste the command line please.<br>
<br>
Also add relevant sections you changed/added to the config.<br>
<br>
Also the hardware specs and network infos.<br>
<br>
What kernel is used?<br>
<div class="m_1101715047765488190m_-4892947835558042975elided-text"><br>
> Peter<br>
><br>
> On Feb 4, 2017 4:57 PM, "Andreas Herz" <<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>> wrote:<br>
><br>
> On 04/02/17 at 16:47, Peter Fyon wrote:<br>
> > When I was running 3.0, I was using workers runmode with few issues. I<br>
> > upgraded to 3.2 this week and my ping times went from ~ 30ms to<br>
> ~150-200ms.<br>
><br>
> How do you run suricata and on what system?<br>
> Since you see latency issues I would guess IPS mode but there are some<br>
> :)<br>
><br>
> --<br>
> Andreas Herz<br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/ois<wbr>f-users</a><br>
<br>
--<br>
Andreas Herz<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/ois<wbr>f-users</a><br>
</div></blockquote></div> </div></div>
</div>