[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss

Peter Manev petermanev at gmail.com
Fri Aug 23 16:00:27 UTC 2013


On Thu, Aug 22, 2013 at 10:51 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Suricata only segfaults on my sensor if I have file extraction enabled.
>  But I really, really like that feature, hence I'm leaving it on and
> hoping we can find a fix for the issue.
>
> I'm not too concerned about sharing publicly as I'm using a hardened
> linux distribution and the segfaults (in my case) seem not to be
> directly related to any external input.  I could be wrong about that of
> course, so if anyone has any advice re: best practice please let me know.
>
> Re: timeouts; I've discovered that the best way to minimize packet drops
> in the kernel is to lower the connection timeouts.  This in turn lowers
> the load on the sensor and allows flows to be pruned from memory faster;
> which seems to improve stability.  I've had issues stability issues with
> heavily threaded apps under high system load due to various exotic race
> conditions in the past.
>
> - -Coop
>
> On 8/22/2013 12:04 PM, Tritium Cat wrote:
>> Yeah.  Good to know you have the same problem too, one would get the
>> impression from your other posts that you had a 100% functioning IDS with
>> 99.999% uptime.
>>
>> [xxxxx.xxxxxx] AFPacketeth67[20954]: segfault at 40 ip 0xxxxxxxxxxxxx sp
>> 00xxxxxxxxxxxxx error 4 in suricata[xxx000+xxxx00]
>>
>> :/
>>
>> The worst discussion to have on a public mailing list.
>>
>> What makes you think timeouts are involved ?
>>


BTW - are you using the correct htp version?
What is the output of
suricata --build-info
?

thanks


-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list