<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><style>body { line-height: 1.5; }blockquote { margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em; }body { font-size: 10.5pt; font-family: 'Microsoft YaHei UI'; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>
<div><span></span>Hi Eric</div><div> I used the new code, and the permission issue was resolved, but the load balancing issue remained</div><div><br></div><div><br></div>
<div><div>[root@yg suricata]# suricata --af-packet=ens4f1 --runmode=workers -c /etc/suricata/suricata.yaml -vvv</div><div>[14754] 8/10/2018 -- 11:46:05 - (conf-yaml-loader.c:273) <Info> (ConfYamlParse) -- Configuration node 'extended' redefined.</div><div>[14754] 8/10/2018 -- 11:46:05 - (suricata.c:1076) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 325f336f6)</div><div>[14754] 8/10/2018 -- 11:46:05 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 40</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-htp.c:2197) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 31467 and 'request-body-inspect-window' set to 3900 after randomization.</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-htp.c:2215) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 40414 and 'response-body-inspect-window' set to 16683 after randomization.</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-dns-udp.c:362) <Config> (DNSUDPConfigure) -- DNS request flood protection level: 500</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-dns-udp.c:374) <Config> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-dns-udp.c:386) <Config> (DNSUDPConfigure) -- DNS global memcap: 16777216</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-modbus.c:1514) <Config> (RegisterModbusParsers) -- Protocol detection and parser disabled for modbus protocol.</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-enip.c:416) <Config> (RegisterENIPUDPParsers) -- Protocol detection and parser disabled for enip protocol.</div><div>[14754] 8/10/2018 -- 11:46:05 - (app-layer-dnp3.c:1598) <Config> (RegisterDNP3Parsers) -- Protocol detection and parser disabled for DNP3.</div><div>[14754] 8/10/2018 -- 11:46:06 - (host.c:254) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64</div><div>[14754] 8/10/2018 -- 11:46:06 - (host.c:277) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136</div><div>[14754] 8/10/2018 -- 11:46:06 - (host.c:279) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432</div><div>[14754] 8/10/2018 -- 11:46:06 - (util-coredump-config.c:122) <Config> (CoredumpLoadConfig) -- Core dump size is unlimited.</div><div>[14754] 8/10/2018 -- 11:46:06 - (defrag-hash.c:249) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56</div><div>[14754] 8/10/2018 -- 11:46:06 - (defrag-hash.c:274) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 168</div><div>[14754] 8/10/2018 -- 11:46:06 - (defrag-hash.c:281) <Config> (DefragInitConfig) -- defrag memory usage: 14679896 bytes, maximum: 33554432</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:396) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:415) <Config> (StreamTcpInitConfig) -- stream "memcap": 67108864</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:421) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:427) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:444) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": enabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:472) <Config> (StreamTcpInitConfig) -- stream."inline": disabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:485) <Config> (StreamTcpInitConfig) -- stream "bypass": disabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:507) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:529) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 268435456</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:547) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:623) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2558</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:625) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2650</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp.c:637) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (stream-tcp-reassemble.c:381) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048</div><div>[14754] 8/10/2018 -- 11:46:06 - (util-logopenfile.c:501) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log</div><div>[14754] 8/10/2018 -- 11:46:06 - (util-logopenfile.c:501) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve-%y-%m-%d.json</div><div>[14754] 8/10/2018 -- 11:46:06 - (runmodes.c:606) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert'</div><div>[14754] 8/10/2018 -- 11:46:06 - (runmodes.c:606) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns'</div><div>[14754] 8/10/2018 -- 11:46:06 - (util-logopenfile.c:501) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log</div><div>[14754] 8/10/2018 -- 11:46:06 - (suricata.c:2371) <Config> (SetupDelayedDetect) -- Delayed detect disabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket</div><div>[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1509) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: ac, SPM: bm</div><div>[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1905) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080</div><div>[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1929) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist (default) 53, 135, 5060</div><div>[14754] 8/10/2018 -- 11:46:06 - (detect-engine.c:1957) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM</div><div>[14754] 8/10/2018 -- 11:46:06 - (reputation.c:609) <Config> (SRepInit) -- IP reputation disabled</div><div>[14754] 8/10/2018 -- 11:46:06 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/suricata.rules</div><div>[14754] 8/10/2018 -- 11:46:07 - (detect-parse.c:1938) <Info> (SigInit) -- Rule with ID 2026440 is bidirectional, but source and destination are the same, treating the rule as unidirectional</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/pass.rules</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /var/lib/suricata/rules/local.rules</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-loader.c:351) <Info> (SigLoadSignatures) -- 3 rule files processed. 19637 rules successfully loaded, 0 rules failed</div><div>[14754] 8/10/2018 -- 11:46:08 - (util-threshold-config.c:1129) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:340) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_uri</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_request_line</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_client_body</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_response_line</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header_names</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header_names</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept_enc</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept_lang</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_referer</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_connection</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_len</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_len</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_type</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_type</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_protocol</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_protocol</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_start</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_start</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_header</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_header</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_method</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_cookie</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_cookie</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_uri</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_user_agent</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_host</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_host</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_stat_msg</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_stat_code</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dns_query</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_sni</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_issuer</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_subject</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_serial</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls_cert_fingerprint</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ja3_hash</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ja3_string</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_protocol</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_protocol</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_software</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_software</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-mpm.c:285) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1398) <Info> (SigAddressPrepareStage1) -- 20544 signatures processed. 2981 are IP-only rules, 6158 are inspecting packet payload, 13593 inspect application layer, 0 are decoder event only</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1401) <Config> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-flowbits.c:475) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Locky' is checked but not set. Checked in 2026434 and 0 other sigs</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- TCP toserver: 41 port groups, 34 unique SGH's, 7 copies</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- TCP toclient: 21 port groups, 21 unique SGH's, 0 copies</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- UDP toserver: 41 port groups, 33 unique SGH's, 8 copies</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1240) <Perf> (RulesGroupByPorts) -- UDP toclient: 21 port groups, 16 unique SGH's, 5 copies</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:986) <Perf> (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies</div><div>[14754] 8/10/2018 -- 11:46:08 - (detect-engine-build.c:1023) <Perf> (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-build.c:1770) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 107</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 25</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 20</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 24</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 21</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 33</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 15</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:995) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 2</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri": 12</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_request_line": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_client_body": 5</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_response_line": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header": 6</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header": 3</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header_names": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_referer": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_len": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_type": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_type": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_start": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_header": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_raw_header": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_method": 3</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_cookie": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_cookie": 2</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent": 4</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_host": 2</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_stat_code": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query": 4</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver tls_sni": 2</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls_cert_issuer": 2</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls_cert_subject": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls_cert_serial": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver ssh_protocol": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data": 1</div><div>[14754] 8/10/2018 -- 11:47:08 - (detect-engine-mpm.c:1002) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data": 5</div><div>[14754] 8/10/2018 -- 11:47:10 - (runmode-af-packet.c:344) <Info> (ParseAFPConfig) -- Using ebpf based cluster mode for AF_PACKET (iface ens4f1)</div><div>[14754] 8/10/2018 -- 11:47:10 - (runmode-af-packet.c:376) <Config> (ParseAFPConfig) -- af-packet will use '/etc/suricata/ebpf/lb.bpf' as eBPF load balancing file</div><div>[14754] 8/10/2018 -- 11:47:10 - (runmode-af-packet.c:643) <Config> (ParseAFPConfig) -- ens4f1: enabling zero copy mode by using data release call</div><div>[14754] 8/10/2018 -- 11:47:10 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s)</div><div>[14754] 8/10/2018 -- 11:47:10 - (flow-manager.c:819) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads</div><div>[14754] 8/10/2018 -- 11:47:10 - (flow-manager.c:980) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads</div><div>[14754] 8/10/2018 -- 11:47:10 - (util-conf.c:115) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket</div><div>[14754] 8/10/2018 -- 11:47:10 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'</div><div>[14754] 8/10/2018 -- 11:47:10 - (tm-threads.c:2172) <Notice> (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, 4 management threads initialized, engine started.</div><div>[14939] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14939] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14940] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14940] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14941] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14941] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14942] 8/10/2018 -- 11:47:10 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14942] 8/10/2018 -- 11:47:10 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14943] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14943] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14944] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14944] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14945] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14945] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14946] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14946] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14947] 8/10/2018 -- 11:47:11 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14947] 8/10/2018 -- 11:47:11 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14948] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14948] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14949] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14949] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14950] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14950] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14951] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14951] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14952] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14952] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14953] 8/10/2018 -- 11:47:12 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14953] 8/10/2018 -- 11:47:12 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14954] 8/10/2018 -- 11:47:13 - (source-af-packet.c:2007) <Info> (SockFanoutSeteBPF) -- Activated eBPF on socket</div><div>[14954] 8/10/2018 -- 11:47:13 - (source-af-packet.c:1733) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=15001 frame_size=1584 frame_nr=300020</div><div>[14954] 8/10/2018 -- 11:47:13 - (source-af-packet.c:513) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.</div><div>[14955] 8/10/2018 -- 11:47:32 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970452, ts.tv_usec:542) flow_spare_q status(): 305% flows at the queue</div><div>[14955] 8/10/2018 -- 11:47:39 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970458, ts.tv_usec:999404) flow_spare_q status(): 55% flows at the queue</div><div>[14955] 8/10/2018 -- 11:47:45 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970465, ts.tv_usec:1208) flow_spare_q status(): 255% flows at the queue</div><div>[14955] 8/10/2018 -- 11:47:51 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970470, ts.tv_usec:998735) flow_spare_q status(): 344% flows at the queue</div><div>[14955] 8/10/2018 -- 11:47:58 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970477, ts.tv_usec:999859) flow_spare_q status(): 75% flows at the queue</div><div>[14955] 8/10/2018 -- 11:48:06 - (flow-manager.c:770) <Info> (FlowManager) -- Flow emergency mode over, back to normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1538970485, ts.tv_usec:997592) flow_spare_q status(): 31% flows at the queue</div><div>^C[14754] 8/10/2018 -- 11:48:09 - (suricata.c:2733) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.</div><div>[14955] 8/10/2018 -- 11:48:09 - (flow-manager.c:798) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state</div><div>[14754] 8/10/2018 -- 11:48:10 - (suricata.c:1100) <Info> (SCPrintElapsedTime) -- time elapsed 60.133s</div><div>[14956] 8/10/2018 -- 11:48:11 - (flow-manager.c:949) <Perf> (FlowRecycler) -- 1073195 flows processed</div><div>[14939] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-ens4f1) Kernel: Packets 40504054, dropped 34228573</div><div>[14939] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14940] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#02-ens4f1) Kernel: Packets 36, dropped 0</div><div>[14940] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14941] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#03-ens4f1) Kernel: Packets 62, dropped 0</div><div>[14941] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14942] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#04-ens4f1) Kernel: Packets 59, dropped 0</div><div>[14942] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14943] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#05-ens4f1) Kernel: Packets 105, dropped 0</div><div>[14943] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14944] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#06-ens4f1) Kernel: Packets 126, dropped 0</div><div>[14944] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14945] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#07-ens4f1) Kernel: Packets 76, dropped 0</div><div>[14945] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14946] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#08-ens4f1) Kernel: Packets 86, dropped 0</div><div>[14946] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14947] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#09-ens4f1) Kernel: Packets 81, dropped 0</div><div>[14947] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14948] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#10-ens4f1) Kernel: Packets 76, dropped 0</div><div>[14948] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14949] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#11-ens4f1) Kernel: Packets 80, dropped 0</div><div>[14949] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14950] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#12-ens4f1) Kernel: Packets 58, dropped 0</div><div>[14950] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14951] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#13-ens4f1) Kernel: Packets 57, dropped 0</div><div>[14951] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14952] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#14-ens4f1) Kernel: Packets 77, dropped 0</div><div>[14952] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14953] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#15-ens4f1) Kernel: Packets 42, dropped 0</div><div>[14953] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14954] 8/10/2018 -- 11:48:11 - (source-af-packet.c:2655) <Perf> (ReceiveAFPThreadExitStats) -- (W#16-ens4f1) Kernel: Packets 524725, dropped 224653</div><div>[14954] 8/10/2018 -- 11:48:11 - (source-af-packet.c:1249) <Info> (AFPSwitchState) -- Cleaning socket connected to 'ens4f1'</div><div>[14754] 8/10/2018 -- 11:48:11 - (counters.c:815) <Info> (StatsLogSummary) -- Alerts: 128</div><div>[14754] 8/10/2018 -- 11:48:12 - (ippair.c:290) <Perf> (IPPairPrintStats) -- ippair memory usage: 414144 bytes, maximum: 16777216</div><div>[14754] 8/10/2018 -- 11:48:12 - (host.c:294) <Perf> (HostPrintStats) -- host memory usage: 604320 bytes, maximum: 33554432</div><div>[14754] 8/10/2018 -- 11:48:12 - (detect-engine-build.c:1704) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete</div><div>[14754] 8/10/2018 -- 11:48:12 - (util-device.c:328) <Notice> (LiveDeviceListClean) -- Stats for 'ens4f1': pkts: 41029800, drop: 34453226 (83.97%), invalid chksum: 54</div></div><hr style="width: 210px; height: 1px;" color="#b5c4df" size="1" align="left">
<div><span><div style="MARGIN: 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>mazhuang@17paipai.cn</div></div></span></div>
<blockquote style="margin-Top: 0px; margin-Bottom: 0px; margin-Left: 0.5em"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>From:</b> <a href="mailto:eric@regit.org">Eric Leblond</a></div><div><b>Date:</b> 2018-10-02 21:03</div><div><b>To:</b> <a href="mailto:mazhuang@17paipai.cn">mazhuang@17paipai.cn</a>; <a href="mailto:Konstantin.Klinger@dcso.de">Konstantin Klinger</a>; <a href="mailto:michalpurzynski1@gmail.com">Michał Purzyński</a></div><div><b>CC:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users</a></div><div><b>Subject:</b> Re: [Oisf-users] suricata 4.1 eBpf load balance</div></div></div><div><div>Hello,</div>
<div> </div>
<div> </div>
<div>I've just pushed https://github.com/regit/suricata/tree/ebpf-update-3 </div>
<div> </div>
<div>Could you give a try ? It should work better.</div>
<div> </div>
<div>BR,</div>
<div>--</div>
<div>Eric Leblond</div>
<div> </div>
<div>On Wed, 2018-09-19 at 15:02 +0800, mazhuang@17paipai.cn wrote:</div>
<div>> Hi Konstantin</div>
<div>> af-packet:</div>
<div>> - interface: ens4f1</div>
<div>> threads: 40</div>
<div>> cluster-id: 99</div>
<div>> cluster-type: cluster_ebpf</div>
<div>> defrag: yes</div>
<div>> ebpf-lb-file: /etc/suricata/ebpf/lb.bpf</div>
<div>> use-mmap: yes</div>
<div>> </div>
<div>> mazhuang@17paipai.cn</div>
<div>> > </div>
<div>> > From: Konstantin Klinger</div>
<div>> > Date: 2018-09-19 12:23</div>
<div>> > To: Michał Purzyński</div>
<div>> > CC: mazhuang@17paipai.cn; Open Information Security Foundation</div>
<div>> > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance</div>
<div>> > Hi,</div>
<div>> > </div>
<div>> > I would be interested how you have included this bpf filter into</div>
<div>> > your config?</div>
<div>> > </div>
<div>> > Cheers,</div>
<div>> > </div>
<div>> > Konstantin </div>
<div>> > </div>
<div>> > -- </div>
<div>> > Konstantin Klinger</div>
<div>> > Security Content Engineer</div>
<div>> > Threat Detection & Hunting (TDH)</div>
<div>> > </div>
<div>> > +49 160 95476260</div>
<div>> > konstantin.klinger@dcso.de</div>
<div>> > </div>
<div>> > dcso.de</div>
<div>> > blog.dcso.de</div>
<div>> > </div>
<div>> > PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46</div>
<div>> > </div>
<div>> > DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus</div>
<div>> > 22 • 10829 Berlin, Germany</div>
<div>> > Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft:</div>
<div>> > Berlin,</div>
<div>> > Amtsgericht Charlottenburg HRB 172382</div>
<div>> > </div>
<div>> > Am 18.09.2018 um 20:22 schrieb Michał Purzyński <</div>
<div>> > michalpurzynski1@gmail.com>:</div>
<div>> > </div>
<div>> > > Can you stop sending screenshoots and just C&P logs instead?</div>
<div>> > > </div>
<div>> > > On Tue, Sep 18, 2018 at 7:53 AM mazhuang@17paipai.cn <</div>
<div>> > > mazhuang@17paipai.cn> wrote:</div>
<div>> > > > Hi Eric</div>
<div>> > > > I'sure have vlan in my traccic.</div>
<div>> > > > </div>
<div>> > > > </div>
<div>> > > > mazhuang@17paipai.cn</div>
<div>> > > > > </div>
<div>> > > > > From: Eric Leblond</div>
<div>> > > > > Date: 2018-09-18 22:06</div>
<div>> > > > > To: mazhuang@17paipai.cn; Peter Manev</div>
<div>> > > > > CC: oisf-users</div>
<div>> > > > > Subject: Re: Re: [Oisf-users] suricata 4.1 eBpf load balance</div>
<div>> > > > > Hello,</div>
<div>> > > > > </div>
<div>> > > > > On Tue, 2018-09-18 at 21:42 +0800, mazhuang@17paipai.cn</div>
<div>> > > > > wrote:</div>
<div>> > > > > > Hi Eric</div>
<div>> > > > > > I used the new lb.c error report as shown below</div>
<div>> > > > > > No permissions? The figure lb.bpf is readable</div>
<div>> > > > > </div>
<div>> > > > > OK, let me do some tests and tries here.</div>
<div>> > > > > </div>
<div>> > > > > Just to be sure, do you have VLAN in your traffic ?</div>
<div>> > > > > </div>
<div>> > > > > BR,</div>
<div>> > > > > --</div>
<div>> > > > > Eric</div>
<div>> > > > > </div>
<div>> > > > > ></div>
<div>> > > > > ></div>
<div>> > > > > ></div>
<div>> > > > > > mazhuang@17paipai.cn</div>
<div>> > > > > > > </div>
<div>> > > > > > > From: Eric Leblond</div>
<div>> > > > > > > Date: 2018-09-18 21:24</div>
<div>> > > > > > > To: mazhuang@17paipai.cn; Peter Manev</div>
<div>> > > > > > > CC: oisf-users</div>
<div>> > > > > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance</div>
<div>> > > > > > > Hello,</div>
<div>> > > > > > > </div>
<div>> > > > > > > On Tue, 2018-09-18 at 21:14 +0800, mazhuang@17paipai.cn</div>
<div>> > > > > wrote:</div>
<div>> > > > > > > > Hi Peter</div>
<div>> > > > > > > > I'm using the suricata source code itself:</div>
<div>> > > > > > > > https://github.com/OISF/suricata/blob/master/ebpf/lb.c</div>
<div>> > > > > > > </div>
<div>> > > > > > > This code do not support VLAN maybe this is your issue.</div>
<div>> > > > > > > </div>
<div>> > > > > > > I've pushed a new version with VLAN support:</div>
<div>> > > > > > > </div>
<div>> > > > > > > https://github.com/regit/suricata/tree/ebpf-update</div>
<div>> > > > > > > </div>
<div>> > > > > > > Can you give it a try ?</div>
<div>> > > > > > > </div>
<div>> > > > > > > You can or use the branch or copy the lb.c to your source</div>
<div>> > > > > tree.</div>
<div>> > > > > > > </div>
<div>> > > > > > > BR,</div>
<div>> > > > > > > --</div>
<div>> > > > > > > Eric Leblond</div>
<div>> > > > > > > </div>
<div>> > > > > > > ></div>
<div>> > > > > > > > mazhuang@17paipai.cn</div>
<div>> > > > > > > > ></div>
<div>> > > > > > > > > From: Peter Manev</div>
<div>> > > > > > > > > Date: 2018-09-18 21:12</div>
<div>> > > > > > > > > To: mazhuang</div>
<div>> > > > > > > > > CC: Open Information Security Foundation</div>
<div>> > > > > > > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load</div>
<div>> > > > > balance</div>
<div>> > > > > > > > > On Tue, Sep 18, 2018 at 2:48 PM mazhuang@17paipai.cn</div>
<div>> > > > > > > > > <mazhuang@17paipai.cn> wrote:</div>
<div>> > > > > > > > > ></div>
<div>> > > > > > > > > > Hi All</div>
<div>> > > > > > > > > > I followed</div>
<div>> > > > > > > > ></div>
<div>> > > > > > > </div>
<div>> > > > > https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html#setup-ebpf-load-balancing</div>
<div>> > > > > > > > > this tutorial to configure ebpf load balancing, but</div>
<div>> > > > > the result</div>
<div>> > > > > > > was</div>
<div>> > > > > > > > > only one core processing the data</div>
<div>> > > > > > > > > ></div>
<div>> > > > > > > > > ></div>
<div>> > > > > > > > > > Suricata Version:4.1</div>
<div>> > > > > > > > > > OS:Centos 7</div>
<div>> > > > > > > > > > Kernel:Linux yg 4.18.8-1.el7.elrepo.x86_64 #1</div>
<div>> > > > > SMP Sat Sep</div>
<div>> > > > > > > 15</div>
<div>> > > > > > > > > 10:10:09 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux</div>
<div>> > > > > > > > > > CPU:Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz</div>
<div>> > > > > x2</div>
<div>> > > > > > > > > > Memory:128G</div>
<div>> > > > > > > > ></div>
<div>> > > > > > > > ></div>
<div>> > > > > > > > > Can you share your balancer (lb.bpf) so i can try to</div>
<div>> > > > > reproduce?</div>
<div>> > > > > > > > ></div>
<div>> > > > > > > > ></div>
<div>> > > > > > > > ></div>
<div>> > > > > > > > > --</div>
<div>> > > > > > > > > Regards,</div>
<div>> > > > > > > > > Peter Manev</div>
<div>> > > > > > > > ></div>
<div>> > > > > > > ></div>
<div>> > > > > > > > _______________________________________________</div>
<div>> > > > > > > > Suricata IDS Users mailing list:</div>
<div>> > > > > > > oisf-users@openinfosecfoundation.org</div>
<div>> > > > > > > > Site: http://suricata-ids.org | Support:</div>
<div>> > > > > > > > http://suricata-ids.org/support/</div>
<div>> > > > > > > > List:</div>
<div>> > > > > > > ></div>
<div>> > > > > > > </div>
<div>> > > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</div>
<div>> > > > > > > ></div>
<div>> > > > > > > > Conference: https://suricon.net</div>
<div>> > > > > > > > Trainings: https://suricata-ids.org/training/</div>
<div>> > > > > > > --</div>
<div>> > > > > > > Eric Leblond <eric@regit.org></div>
<div>> > > > > > > </div>
<div>> > > > > --</div>
<div>> > > > > Eric Leblond <eric@regit.org></div>
<div>> > > > > </div>
<div>> > > > </div>
<div>> > > > _______________________________________________</div>
<div>> > > > Suricata IDS Users mailing list: </div>
<div>> > > > oisf-users@openinfosecfoundation.org</div>
<div>> > > > Site: http://suricata-ids.org | Support: </div>
<div>> > > > http://suricata-ids.org/support/</div>
<div>> > > > List: </div>
<div>> > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</div>
<div>> > > > </div>
<div>> > > > Conference: https://suricon.net</div>
<div>> > > > Trainings: https://suricata-ids.org/training/</div>
<div>> > </div>
<div>> > > _______________________________________________</div>
<div>> > > Suricata IDS Users mailing list: </div>
<div>> > > oisf-users@openinfosecfoundation.org</div>
<div>> > > Site: http://suricata-ids.org | Support: </div>
<div>> > > http://suricata-ids.org/support/</div>
<div>> > > List: </div>
<div>> > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</div>
<div>> > > </div>
<div>> > > Conference: https://suricon.net</div>
<div>> > > Trainings: https://suricata-ids.org/training/</div>
<div>> </div>
<div>> _______________________________________________</div>
<div>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org</div>
<div>> Site: http://suricata-ids.org | Support: </div>
<div>> http://suricata-ids.org/support/</div>
<div>> List: </div>
<div>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</div>
<div>> </div>
<div>> Conference: https://suricon.net</div>
<div>> Trainings: https://suricata-ids.org/training/</div>
<div>-- </div>
<div>Eric Leblond <eric@regit.org></div>
<div> </div>
</div></blockquote>
</body></html>