[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss

Cooper F. Nelson cnelson at ucsd.edu
Thu Aug 22 19:51:10 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suricata only segfaults on my sensor if I have file extraction enabled.
 But I really, really like that feature, hence I'm leaving it on and
hoping we can find a fix for the issue.

I'm not too concerned about sharing publicly as I'm using a hardened
linux distribution and the segfaults (in my case) seem not to be
directly related to any external input.  I could be wrong about that of
course, so if anyone has any advice re: best practice please let me know.

Re: timeouts; I've discovered that the best way to minimize packet drops
in the kernel is to lower the connection timeouts.  This in turn lowers
the load on the sensor and allows flows to be pruned from memory faster;
which seems to improve stability.  I've had issues stability issues with
heavily threaded apps under high system load due to various exotic race
conditions in the past.

- -Coop

On 8/22/2013 12:04 PM, Tritium Cat wrote:
> Yeah.  Good to know you have the same problem too, one would get the
> impression from your other posts that you had a 100% functioning IDS with
> 99.999% uptime.
> 
> [xxxxx.xxxxxx] AFPacketeth67[20954]: segfault at 40 ip 0xxxxxxxxxxxxx sp
> 00xxxxxxxxxxxxx error 4 in suricata[xxx000+xxxx00]
> 
> :/
> 
> The worst discussion to have on a public mailing list.
> 
> What makes you think timeouts are involved ?
> 
> --TC
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSFmuuAAoJEKIFRYQsa8FWeoAIAKlxV3ghKovCTSzjj2FYMKYy
+zeufzCXGESVWFJzAQFX3/F3xTXV5a5AeVlwrCEpEjfxz1356cEIVh7RK0LP2Rwt
dnyZ8vYo8Pw4dg1s7hJrImN8thzqJ46T1AuBncQNbKFwFLi3FBj5Ft574JbTT4ux
G0qsbmQQ57WFPlLSYiA5PE6YfiaBkR6BQWwKRRRKbE5XrHwLVlia2j+XllqzpoWb
Q/t1b8GY/Ha+OxN+Anx3pIhjJCMBcg/DM8VE9Slp5ykUYXRVFD60VB2HxwmELTX3
oB9kQspHCf4RRBBMhUs2KYdkMSveD066kDdor5iD+DtwIZbcgLrUj/CluJu0TEI=
=X+R4
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list