[Oisf-users] Suricata inline - rule matching stops

Victor Julien lists at inliniac.net
Fri May 23 08:36:43 UTC 2014 

On 05/22/2014 06:58 PM, Özkan KIRIK wrote:
> Hi,
> stats log is attached.

I bet your stream.reassembly.memcap is set to 1gb, which is reached:
tcp.reassembly_memuse     | Detect                    | 1073741704

Then some packets are not being used for reassembly:
tcp.segment_memcap_drop   | Detect                    | 1944780

Leading to 'gaps' in the data:
tcp.reassembly_gap        | Detect                    | 5695

This would explain why we'd loose track of TLS sessions.

Try increasing the memcap.

Cheers,
Victor

> 
> On Thu, May 22, 2014 at 6:14 PM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 05/22/2014 03:13 PM, Özkan KIRIK wrote:
>     > I am running Suricata 2.0 release inline mode on FreeBSD.
>     > There is single rule as below:
>     > drop tls any any -> any any (msg:"SSL: vtunnel.com
>     <http://vtunnel.com>
>     > <http://vtunnel.com>"; tls.subject:"vtunnel.com
>     <http://vtunnel.com> <http://vtunnel.com>";
>     > sid:3230059; rev:1;)
>     >
>     > At start, everything is fine. I can see drop events on fast.log.
>     > After a while ( about 2 minutes ) suricata gives up dropping
>     packets. No
>     > packets matches rule altough I tried to connect vtunnel.com
>     <http://vtunnel.com>
>     > <http://vtunnel.com> via https, but all traffic forwarded.
>     >
>     > No threshold configured on yaml file.
>     >
>     > How can i debug this problem?
> 
>     I think it would make sense to inspect the stats.log. If stream/flow
>     engines run out of resources, tracking of tls may fail while packets
>     still flow.
> 
>     Can you share a record of your stats.log?
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     OISF: http://www.openinfosecfoundation.org/
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list