[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 10 17:39:02 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll have to ask my management about that.  I probably can share
off-list the single packet captures we have of traffic flagged as
non-DNS; but I use thresholding so it will only be the first packet of
the transaction.  Full packet captures are probably not possible as we
see gigabytes of data over port 53 every hour.

I'm going to roll back to v1.4.3 for now so I can still monitor DNS
traffic, thanks much for your help.

- -Coop

On 7/10/2013 2:06 PM, Victor Julien wrote:
> 
> Are you able to share a capture of that non-dns port 53 traffic?
> 
>> Additionally, is there a way to disable the various app-layer
>> protocol handlers, either via suricata.yaml or at compile time?  I
>> would still like to run the ET DNS sigs on our DNS traffic.
> 
> Not yet, but it will be soon, for sure in 2.0final.
> 
> Cheers,
> Victor
> 
>> -Coop
> 
>> On 7/9/2013 11:46 PM, Peter Manev wrote:
>>>>
>>>> Question along those lines, what do the suricata devs feel
>>>> about the various NIC offloading features re: interaction with
>>>> suricata?
> 
>>> These, I think should be OFF in general. Suricata must be able to
>>> see the traffic as it is.
> 
>>> Again , if I may, irqbalance and udp balancing are very
>>> important.
> 
> 
> 
>> _______________________________________________ Suricata IDS Users
>> mailing list: oisf-users at openinfosecfoundation.org Site:
>> http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/ List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> OISF: http://www.openinfosecfoundation.org/
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR3dR2AAoJEKIFRYQsa8FWcFYIALxRpGDeTJSIOd7kpv1o1opx
dqIurQSo0MujCFwRsF4lVeLpTsCnGdDpCPLQxnDF8WbxuCEdgm5DtO6xQvmeC43u
jYsw8eph0Mt0aghnm+PLavWf0bCrPgQPCiqNewgpNaDvEtpCYaXJ0Oy49gCnBI3J
cYTAYAIFCijmYoHQ1F4gmGVzg67fhTdGNOzdSbzBnRDBriem9n3TC9w5kQXWX2DX
pgvgQ7/1eVx1k6k/UtErxEUPZQrDFGfXVfJMCEdzpb+QUKRZ/IqzMAicvwGb+gY4
22PzEE4oVsQ3+RFmaz9TdMpXN5ZIxQExCqGPDulMvT1WHOl/bFUzBuf4a3MXDmY=
=//oy
-----END PGP SIGNATURE-----


More information about the Oisf-users mailing list