[Oisf-users] (no subject)

Mark Ashley mark at ibiblio.org
Mon Mar 24 20:46:37 UTC 2014

Having debugged the heck out of suricata when getting it running on a
Solaris host, I've seen that there is a window of time between invoking
suricata and when it actually starts processing the packet flow. During
that time it's looping a lot and building it's internal structures up to
hold all of the rules. Once that's completed then the job of being an IDS
begins. For me that period of startup time was up to a few minutes,
depending on the size of my rule set.

It's very much within the limits of plausibility for the system to drop
those 30K packets during the pre-processing of the rules and then not drop
anything during the normal work phase. It's not taking packets off the
stack during the rule build phase. They will just drop. If you're seeing
zero drops on an ongoing basis, that's great. I got used to the fact packet
drop just happens when you listen at a 10Gb feed.

Keep in mind when compiling in profiling and running stats counting, it
WILL slow down the engine so packet drops will occur, it's akin to the law
of physics about affecting something you are measuring. It was suggested it
added a 20% overhead.

On Tue, Mar 25, 2014 at 3:53 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Hash: SHA1
> That's not right at all.  What kernel revision are you running?  I know
> to get the RSS+AF_PACKET+mmap mode working well you need a fairly recent
> kernel.
> - -Coop
> On 3/24/2014 9:07 AM, Travel Factory S.r.l. wrote:
> > On Mon, 24 Mar 2014 06:10:02 -0700
> >  "Cooper F. Nelson" <cnelson at ucsd.edu> wrote:
> >
> >>
> >> I tried restarting suricata with "buffer-size: 0" as I suggested and can
> >> confirm it doesn't drop packets at startup.  I'll see how it performs
> >> under load during the day.
> >
> >
> > no changes after setting this parameter to 0: during startup
> > capture.kernel_drops grows over 30000 and then stops at that value.
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> CIZP2sRDI1B8n1VPzAHvL0yBKfLUvTmRYAdtEBgkmfl+R38hnc1vkvt1zO/lq7Gt
> umvG/XCFNpy+NtoYXp84MDHEt47LLcAWEy+4IQXObiQRsIFA9zeuosw7wB5RdnmH
> 4waT3/nxlm07yk8HNh2d7MnoIkzc67NZpdPFVKVWfLzWH3t1UF9s8xdCtSpik9/P
> szQm30VcfaP3Sx5frafFH9uPZSyfIknrnxSlkTJTwU7yVdbU1ai/LvNGTBh1Hm40
> /Awvapr/l2K35rHmktyQrnJt8H/41wGCIY0SRxF57tJgjeOwU3argL0rtWWKvyc=
> =nK88
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140325/8bf4c5bb/attachment-0002.html>

More information about the Oisf-users mailing list