[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss

Cooper F. Nelson cnelson at ucsd.edu
Thu Aug 22 19:51:10 UTC 2013

Hash: SHA1

Suricata only segfaults on my sensor if I have file extraction enabled.
 But I really, really like that feature, hence I'm leaving it on and
hoping we can find a fix for the issue.

I'm not too concerned about sharing publicly as I'm using a hardened
linux distribution and the segfaults (in my case) seem not to be
directly related to any external input.  I could be wrong about that of
course, so if anyone has any advice re: best practice please let me know.

Re: timeouts; I've discovered that the best way to minimize packet drops
in the kernel is to lower the connection timeouts.  This in turn lowers
the load on the sensor and allows flows to be pruned from memory faster;
which seems to improve stability.  I've had issues stability issues with
heavily threaded apps under high system load due to various exotic race
conditions in the past.

- -Coop

On 8/22/2013 12:04 PM, Tritium Cat wrote:
> Yeah.  Good to know you have the same problem too, one would get the
> impression from your other posts that you had a 100% functioning IDS with
> 99.999% uptime.
> [xxxxx.xxxxxx] AFPacketeth67[20954]: segfault at 40 ip 0xxxxxxxxxxxxx sp
> 00xxxxxxxxxxxxx error 4 in suricata[xxx000+xxxx00]
> :/
> The worst discussion to have on a public mailing list.
> What makes you think timeouts are involved ?
> --TC

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list