[Oisf-users] Suricata overload
Christophe Vandeplas
christophe at vandeplas.com
Fri Mar 21 11:29:20 UTC 2014
Hi Michal,
(plz include the list in the conversation, so others with more
experience can also reply)
On Fri, Mar 21, 2014 at 9:26 AM, Michal Šutta <michal.sutta at gmail.com> wrote:
> could you please explain to me when this individual types of drops occurs in Suricata.
> - capture.kernel_drops
Suricata is not able to handle the amount of traffic coming in. This
might be caused by underpowered machine, ruleset, misconfiguration,
...
A few are as far as I know "normal".
> - tcp.segment_memcap_drop
> - tcp.ssn_memcap_drop
Read the memcap documentation of the configuration file:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
Grtz
>
>
>
> 2014-03-10 10:52 GMT+01:00 Christophe Vandeplas <christophe at vandeplas.com>:
>
>> On Mon, Mar 10, 2014 at 8:38 AM, Michal Šutta <michal.sutta at gmail.com> wrote:
>> > Hello,
>> >
>> > is there a way to find out how many packets were not processed because of
>> > the overload of Suricata ?
>>
>> Make sure stats.log is activated in your yaml configuration.
>> - stats:
>> enabled: yes
>> filename: stats.log
>> interval: 60 # number of seconds
>>
>> In that stats.log file you will see different keys containing the word
>> 'drop', like:
>> - capture.kernel_drops
>> - tcp.segment_memcap_drop
>> - tcp.ssn_memcap_drop
>>
>>
>>
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>
>
More information about the Oisf-users
mailing list