<div dir="ltr"><div><div><div><div>Sorry for this late response.<br><br></div>Here it is:<br><br>------------------------------------------------------------------------------------<br>Date: 3/23/2018 -- 08:40:07 (uptime: 0d, 01h 13m 47s)<br>------------------------------------------------------------------------------------<br>Counter | TM Name | Value<br>------------------------------------------------------------------------------------<br>capture.kernel_packets | Total | 437700<br>capture.kernel_drops | Total | 74114<br>decoder.pkts | Total | 363587<br>decoder.bytes | Total | 29816414<br>decoder.ipv4 | Total | 360380<br>decoder.ipv6 | Total | 6<br>decoder.ethernet | Total | 363587<br>decoder.tcp | Total | 349015<br>decoder.udp | Total | 11122<br>decoder.icmpv4 | Total | 22<br>decoder.teredo | Total | 6<br>decoder.avg_pkt_size | Total | 82<br>decoder.max_pkt_size | Total | 1514<br>flow.tcp | Total | 186<br>flow.udp | Total | 2687<br>defrag.ipv4.fragments | Total | 221<br>defrag.ipv4.reassembled | Total | 96<br>tcp.sessions | Total | 176<br>tcp.syn | Total | 182<br>tcp.synack | Total | 168<br>tcp.rst | Total | 413<br>tcp.overlap | Total | 3<br>detect.alert | Total | 6<br>detect.nonmpm_list | Total | 19766<br>detect.fnonmpm_list | Total | 310<br>detect.match_list | Total | 310<br>app_layer.flow.http | Total | 81<br>app_layer.tx.http | Total | 83<br>app_layer.flow.tls | Total | 84<br>app_layer.flow.dns_udp | Total | 2570<br>app_layer.tx.dns_udp | Total | 2902<br>app_layer.flow.failed_udp | Total | 117<br>flow_mgr.closed_pruned | Total | 163<br>flow_mgr.new_pruned | Total | 133<br>flow_mgr.est_pruned | Total | 2416<br>flow.spare | Total | 10000<br>flow_mgr.flows_checked | Total | 1<br>flow_mgr.flows_notimeout | Total | 1<br>flow_mgr.rows_checked | Total | 65536<br>flow_mgr.rows_skipped | Total | 65535<br>flow_mgr.rows_maxlen | Total | 1<br>tcp.memuse | Total | 1720320<br>tcp.reassembly_memuse | Total | 245760<br>flow.memuse | Total | 6795520<br><br></div>And about rules:<br><br>23/3/2018 -- 07:26:14 - <Info> - Running in live mode, activating unix socket<br>23/3/2018 -- 07:26:14 - <Info> - Loading reputation file: /etc/suricata/rules/talos.txt<br>23/3/2018 -- 07:26:18 - <Info> - 9 rule files processed. 28727 rules successfully loaded, 0 rules failed<br>23/3/2018 -- 07:26:18 - <Info> - Threshold config parsed: 0 rule(s) found<br>23/3/2018 -- 07:26:18 - <Info> - 28727 signatures processed. 1295 are IP-only rules, 3361 are inspecting packet payload, 25180 inspect application layer, 0 are decoder event only<br>23/3/2018 -- 07:26:20 - <Info> - fast output device (regular) initialized: fast.log<br>23/3/2018 -- 07:26:20 - <Info> - stats output device (regular) initialized: stats.log<br>23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)<br>23/3/2018 -- 07:26:20 - <Info> - using interface vtnet2<br>23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<br>23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet2'<br>23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet2'<br>23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)<br>23/3/2018 -- 07:26:20 - <Info> - using interface vtnet3<br>23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<br>23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet3'<br>23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet3'<br>23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)<br>23/3/2018 -- 07:26:20 - <Info> - using interface vtnet4<br>23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.<br>23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet4'<br>23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet4'<br>23/3/2018 -- 07:26:20 - <Info> - RunModeIdsPcapWorkers initialised<br>23/3/2018 -- 07:26:20 - <Info> - Running in live mode, activating unix socket<br>23/3/2018 -- 07:26:20 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'<br>23/3/2018 -- 07:26:20 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.<br>23/3/2018 -- 07:31:39 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used<br>23/3/2018 -- 07:32:41 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used<br>23/3/2018 -- 07:32:57 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used<br>23/3/2018 -- 08:40:06 - <Notice> - Signal Received. Stopping engine.<br>23/3/2018 -- 08:40:07 - <Info> - time elapsed 4426.912s<br>23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet2) Packets 351328, bytes 26323869<br>23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet2) Pcap Total:425442 Recv:351328 Drop:74114 (17.4%).<br>23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet3) Packets 6401, bytes 1849846<br>23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet3) Pcap Total:6404 Recv:6404 Drop:0 (0.0%).<br>23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet4) Packets 5858, bytes 1642699<br>23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet4) Pcap Total:5858 Recv:5858 Drop:0 (0.0%).<br>23/3/2018 -- 08:40:07 - <Info> - Alerts: 6<br>23/3/2018 -- 08:40:07 - <Info> - cleaning up signature grouping structure... complete<br>23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet2': pkts: 351328, drop: 74114 (21.10%), invalid chksum: 0<br>23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet3': pkts: 6401, drop: 0 (0.00%), invalid chksum: 0<br>23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet4': pkts: 5858, drop: 0 (0.00%), invalid chksum: 0<br><br></div>As you can see Andreas, It's not a lot of traffic monitoring this vm.<br><br></div>Thanks<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 21, 2018 at 11:06 PM, Andreas Herz <span dir="ltr"><<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 18/03/18 at 07:27, C. L. Martinez wrote:<br>
> Any idea why tcpdump never drops packets and suricata allmost of them?<br>
<br>
Can you add stats.log?<br>
<br>
What rules are active?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Andreas Herz<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a></font></span></blockquote></div><br></div>