[Oisf-users] Suricata inline - rule matching stops
Özkan KIRIK
ozkan.kirik at gmail.com
Thu May 22 16:58:16 UTC 2014
Hi,
stats log is attached.
On Thu, May 22, 2014 at 6:14 PM, Victor Julien <lists at inliniac.net> wrote:
> On 05/22/2014 03:13 PM, Özkan KIRIK wrote:
> > I am running Suricata 2.0 release inline mode on FreeBSD.
> > There is single rule as below:
> > drop tls any any -> any any (msg:"SSL: vtunnel.com
> > <http://vtunnel.com>"; tls.subject:"vtunnel.com <http://vtunnel.com>";
> > sid:3230059; rev:1;)
> >
> > At start, everything is fine. I can see drop events on fast.log.
> > After a while ( about 2 minutes ) suricata gives up dropping packets. No
> > packets matches rule altough I tried to connect vtunnel.com
> > <http://vtunnel.com> via https, but all traffic forwarded.
> >
> > No threshold configured on yaml file.
> >
> > How can i debug this problem?
>
> I think it would make sense to inspect the stats.log. If stream/flow
> engines run out of resources, tracking of tls may fail while packets
> still flow.
>
> Can you share a record of your stats.log?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140522/368531ac/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: divert_stats.log
Type: application/octet-stream
Size: 797997 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140522/368531ac/attachment-0002.obj>
More information about the Oisf-users
mailing list