[Oisf-users] Suricata inline - rule matching stops
Victor Julien
lists at inliniac.net
Thu May 22 15:14:16 UTC 2014
On 05/22/2014 03:13 PM, Özkan KIRIK wrote:
> I am running Suricata 2.0 release inline mode on FreeBSD.
> There is single rule as below:
> drop tls any any -> any any (msg:"SSL: vtunnel.com
> <http://vtunnel.com>"; tls.subject:"vtunnel.com <http://vtunnel.com>";
> sid:3230059; rev:1;)
>
> At start, everything is fine. I can see drop events on fast.log.
> After a while ( about 2 minutes ) suricata gives up dropping packets. No
> packets matches rule altough I tried to connect vtunnel.com
> <http://vtunnel.com> via https, but all traffic forwarded.
>
> No threshold configured on yaml file.
>
> How can i debug this problem?
I think it would make sense to inspect the stats.log. If stream/flow
engines run out of resources, tracking of tls may fail while packets
still flow.
Can you share a record of your stats.log?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list