[Oisf-users] Really desperated: Suricata drops allmost packages

C. L. Martinez carlopmart at gmail.com
Sun Mar 18 06:27:43 UTC 2018 

Hi all,

 I have installed Suricata 4.0.4 under FreeBSD 11.1 (fully patched) in a virtual machine to do some tests, host is a RHEL 7.4 with KVM. But Suricata drops most of them ... Statistics:

18/3/2018 -- 06:15:36 - <Info> - time elapsed 430.487s
18/3/2018 -- 06:15:37 - <Info> - (W#01-vtnet2) Packets 5223, bytes 1921005
18/3/2018 -- 06:15:37 - <Info> - (W#01-vtnet2) Pcap Total:93274 Recv:7434 Drop:85840 (92.0%).
18/3/2018 -- 06:15:37 - <Info> - (W#01-vtnet3) Packets 1822, bytes 653501
18/3/2018 -- 06:15:37 - <Info> - (W#01-vtnet3) Pcap Total:1890 Recv:1890 Drop:0 (0.0%).
18/3/2018 -- 06:15:37 - <Info> - (W#01-vtnet4) Packets 1775, bytes 342675
18/3/2018 -- 06:15:37 - <Info> - (W#01-vtnet4) Pcap Total:1933 Recv:1933 Drop:0 (0.0%).
18/3/2018 -- 06:15:37 - <Info> - Alerts: 0
18/3/2018 -- 06:15:37 - <Info> - cleaning up signature grouping structure... complete
18/3/2018 -- 06:15:37 - <Notice> - Stats for 'vtnet2':  pkts: 5223, drop: 85749 (1641.76%), invalid chksum: 0
18/3/2018 -- 06:15:37 - <Notice> - Stats for 'vtnet3':  pkts: 1822, drop: 0 (0.00%), invalid chksum: 0
18/3/2018 -- 06:15:37 - <Notice> - Stats for 'vtnet4':  pkts: 1775, drop: 0 (0.00%), invalid chksum: 0

 At the same time, in other ssh session on the same vm, running tcpdump on vtnet2 interface:

tcpdump: listening on vtnet2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C92355 packets captured
92360 packets received by filter
0 packets dropped by kernel

 ... Agghh ... tcpdump: 0 packets dropped, suricata: 1641.76% packets dropped ....

Ok, arrived to this point some configs.

Command startup:
/usr/local/bin/suricata -k none -D -vvv --pcap=vtnet2 --pcap=vtnet3 --pcap=vtnet4 --pidfile /var/run/suricata.pid -c /etc/suricata/suricata.yaml

Runmode: workers

Defrag config:
defrag:
  memcap: 64mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60

Max pending packets: default (1024)

Flow config:
flow:
  memcap: 256mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
  #managers: 1 # default to one flow manager
  #recyclers: 1

Stream config:
stream:
  memcap: 256mb
  checksum-validation: no       # reject wrong csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 512mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    #raw: yes
    #segment-prealloc: 2048
    #check-overlap-different-data: true

 Except for log options, all rest options are by default ...

 FreeBSD 11.1 vm config: x86_64, 6GB RAM, 2 vCPUS, 5 interfaces (virtio driver)

 Any idea why tcpdump never drops packets and suricata allmost of them?

Thanks
-- 
Greetings,
C. L. Martinez

More information about the Oisf-users mailing list