[Oisf-users] Losing a lot packets when suricata runs without detection modules

C. L. Martinez carlopmart at gmail.com
Wed Dec 10 10:33:46 UTC 2014 

Hi all,

 I am doing some tests running suricata without detection modules to
capture packets under FreeBSD 10.1 host.

 To do these tests I am using 2.1beta2 and 2.0.4, and results are the
same: I loose between 65% and 90% of packets.

 Current suricata.yaml used for both releases:

%YAML 1.1
---

max-pending-packets: 12288

runmode: workers

host-mode: sniffer-only

pid-file: /var/run/idpsuripcap01.pid

default-log-dir: /nsm/idpsuripcap01

outputs:
  - fast:
      enabled: no
  - eve-log:
      enabled: no
  - unified2-alert:
      enabled: no
  - http-log:
      enabled: no
  - tls-log:
      enabled: no
  - dns-log:
      enabled: no
  - pcap-info:
      enabled: no
  - pcap-log:
      enabled: yes
      filename: snort.log
      limit: 2gb
      mode: sguil
      sguil-base-dir: /nsm/idpsuripcap01
      use-stream-depth: no
  - alert-debug:
      enabled: no
  - alert-prelude:
      enabled: no
  - stats:
      enabled: no
  - syslog:
      enabled: no
  - drop:
      enabled: no
  - file-store:
      enabled: no
  - file-log:
      enabled: no

threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 2 ]
    - receive-cpu-set:
        cpu: [ 2 ]
    - decode-cpu-set:
        cpu: [ 2,3 ]
        mode: "balanced"
    - stream-cpu-set:
        cpu: [ 2,3 ]
    - detect-cpu-set:
        cpu: [ 2,3 ]
        mode: "exclusive"
        prio:
          low: [ 3 ]
          medium: [ 2,3 ]
          high: [ 2 ]
          default: "medium"
    - verdict-cpu-set:
        cpu: [ 3 ]
        prio:
          default: "high"
    - reject-cpu-set:
        cpu: [ 3 ]
        prio:
          default: "low"
    - output-cpu-set:
        cpu: [ 2,3 ]
        prio:
           default: "medium"
  detect-thread-ratio: 1.5

logging:
  default-log-level: info
  outputs:
  - console:
      enabled: no
  - file:
      enabled: yes
      filename: /var/log/idpsuripcap01.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

pcap:
  - interface: vtnet4
    #buffer-size: 4mb
    #checksum-checks: auto
    threads: 2
    #promisc: no
    #snaplen: 1518
  - interface: default
    #checksum-checks: auto

coredump:
  max-dump: 0

Startup command for both suricata releases:

suricata --disable-detection --pidfile /var/run/idpsuripcap01.pid -D
-F /data/config/etc/idpsuripcap01/bpf.conf -k none -i vtnet4 -c
/data/config/etc/idpsuripcap01/suricata.yaml

Interface configuration:

vtnet4: flags=48943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,MONITOR>
metric 0 mtu 1514
        options=800a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
        ether 52:54:00:d3:13:4b
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active

(gso,lro,tso, etc are off).

I am using the following bpf filter also:

(tcp and not (port 67 or port 68 or port 161 or port 162 or port 137
or port 138 or port 139 or port 445))

This is a 1GiB network.

 Any tips??

More information about the Oisf-users mailing list