[Oisf-users] Suricata inline - rule matching stops

Özkan KIRIK ozkan.kirik at gmail.com
Fri May 23 11:12:18 UTC 2014 

it works

thank you very much


On Fri, May 23, 2014 at 11:36 AM, Victor Julien <lists at inliniac.net> wrote:

> On 05/22/2014 06:58 PM, Özkan KIRIK wrote:
> > Hi,
> > stats log is attached.
>
> I bet your stream.reassembly.memcap is set to 1gb, which is reached:
> tcp.reassembly_memuse     | Detect                    | 1073741704
>
> Then some packets are not being used for reassembly:
> tcp.segment_memcap_drop   | Detect                    | 1944780
>
> Leading to 'gaps' in the data:
> tcp.reassembly_gap        | Detect                    | 5695
>
> This would explain why we'd loose track of TLS sessions.
>
> Try increasing the memcap.
>
> Cheers,
> Victor
>
> >
> > On Thu, May 22, 2014 at 6:14 PM, Victor Julien <lists at inliniac.net
> > <mailto:lists at inliniac.net>> wrote:
> >
> >     On 05/22/2014 03:13 PM, Özkan KIRIK wrote:
> >     > I am running Suricata 2.0 release inline mode on FreeBSD.
> >     > There is single rule as below:
> >     > drop tls any any -> any any (msg:"SSL: vtunnel.com
> >     <http://vtunnel.com>
> >     > <http://vtunnel.com>"; tls.subject:"vtunnel.com
> >     <http://vtunnel.com> <http://vtunnel.com>";
> >     > sid:3230059; rev:1;)
> >     >
> >     > At start, everything is fine. I can see drop events on fast.log.
> >     > After a while ( about 2 minutes ) suricata gives up dropping
> >     packets. No
> >     > packets matches rule altough I tried to connect vtunnel.com
> >     <http://vtunnel.com>
> >     > <http://vtunnel.com> via https, but all traffic forwarded.
> >     >
> >     > No threshold configured on yaml file.
> >     >
> >     > How can i debug this problem?
> >
> >     I think it would make sense to inspect the stats.log. If stream/flow
> >     engines run out of resources, tracking of tls may fail while packets
> >     still flow.
> >
> >     Can you share a record of your stats.log?
> >
> >     --
> >     ---------------------------------------------
> >     Victor Julien
> >     http://www.inliniac.net/
> >     PGP: http://www.inliniac.net/victorjulien.asc
> >     ---------------------------------------------
> >
> >     _______________________________________________
> >     Suricata IDS Users mailing list:
> >     oisf-users at openinfosecfoundation.org
> >     <mailto:oisf-users at openinfosecfoundation.org>
> >     Site: http://suricata-ids.org | Support:
> >     http://suricata-ids.org/support/
> >     List:
> >     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >     OISF: http://www.openinfosecfoundation.org/
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140523/7ef9f4c0/attachment-0002.html>

More information about the Oisf-users mailing list