[Oisf-users] Suricata consume more than 50% CPU
David Touzeau
david at articatech.com
Sun Dec 20 15:17:09 UTC 2015
Thanks Peter, here the requested informations:
PF_RING:
modinfo pf_ring && cat /proc/net/pf_ring/info
filename: /lib/modules/3.2.0-4-amd64/kernel/net/pf_ring/pf_ring.ko
alias: net-pf-27
description: Packet capture acceleration and analysis
author: ntop.org
license: GPL
depends:
vermagic: 3.2.0-4-amd64 SMP mod_unload modversions
parm: min_num_slots:Min number of ring slots (uint)
parm: perfect_rules_hash_size:Perfect rules hash size (uint)
parm: transparent_mode:(deprecated) (uint)
parm: enable_debug:Set to 1 to enable PF_RING debug tracing
into the syslog (uint)
parm: enable_tx_capture:Set to 1 to capture outgoing packets
(uint)
parm: enable_frag_coherence:Set to 1 to handle fragments (flow
coherence) in clusters (uint)
parm: enable_ip_defrag:Set to 1 to enable IP
defragmentation(only rx traffic is defragmentead) (uint)
parm: quick_mode:Set to 1 to run at full speed but with upto
one socket per interface (uint)
PF_RING Version : 6.1.1
(dev:03645d72194bf671201728c1e947f365883935c7)
Total rings : 4
Standard (non DNA/ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Here it is the start in verbose:
20/12/2015 -- 16:15:16 - <Notice> - This is Suricata version 2.0.10 RELEASE
20/12/2015 -- 16:15:16 - <Info> - CPUs/cores online: 4
20/12/2015 -- 16:15:16 - <Info> - 'default' server has
'request-body-minimal-inspect-size' set to 33882 and
'request-body-inspect-window' set to 4053 after randomization.
20/12/2015 -- 16:15:16 - <Info> - 'default' server has
'response-body-minimal-inspect-size' set to 33695 and
'response-body-inspect-window' set to 4218 after randomization.
20/12/2015 -- 16:15:16 - <Info> - DNS request flood protection level: 500
20/12/2015 -- 16:15:16 - <Info> - DNS per flow memcap (state-memcap): 524288
20/12/2015 -- 16:15:16 - <Info> - DNS global memcap: 16777216
20/12/2015 -- 16:15:16 - <Info> - allocated 3670016 bytes of memory for
the defrag hash... 65536 buckets of size 56
20/12/2015 -- 16:15:16 - <Info> - preallocated 65535 defrag trackers of
size 168
20/12/2015 -- 16:15:16 - <Info> - defrag memory usage: 14679896 bytes,
maximum: 33554432
20/12/2015 -- 16:15:16 - <Info> - AutoFP mode using default "Active
Packets" flow load balancer
20/12/2015 -- 16:15:16 - <Info> - preallocated 1024 packets. Total
memory 3573760
20/12/2015 -- 16:15:16 - <Info> - allocated 262144 bytes of memory for
the host hash... 4096 buckets of size 64
20/12/2015 -- 16:15:16 - <Info> - preallocated 1000 hosts of size 112
20/12/2015 -- 16:15:16 - <Info> - host memory usage: 390144 bytes,
maximum: 16777216
20/12/2015 -- 16:15:16 - <Info> - allocated 4194304 bytes of memory for
the flow hash... 65536 buckets of size 64
20/12/2015 -- 16:15:16 - <Info> - preallocated 10000 flows of size 280
20/12/2015 -- 16:15:16 - <Info> - flow memory usage: 7074304 bytes,
maximum: 67108864
20/12/2015 -- 16:15:16 - <Info> - stream "prealloc-sessions": 2048 (per
thread)
20/12/2015 -- 16:15:16 - <Info> - stream "memcap": 33554432
20/12/2015 -- 16:15:16 - <Info> - stream "midstream" session pickups:
disabled
20/12/2015 -- 16:15:16 - <Info> - stream "async-oneside": disabled
20/12/2015 -- 16:15:16 - <Info> - stream "checksum-validation": disabled
20/12/2015 -- 16:15:16 - <Info> - stream."inline": disabled
20/12/2015 -- 16:15:16 - <Info> - stream "max-synack-queued": 5
20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "memcap": 134217728
20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "depth": 1048576
20/12/2015 -- 16:15:16 - <Info> - stream.reassembly
"toserver-chunk-size": 2587
20/12/2015 -- 16:15:16 - <Info> - stream.reassembly
"toclient-chunk-size": 2593
20/12/2015 -- 16:15:16 - <Info> - stream.reassembly.raw: enabled
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 4, prealloc 256
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 16, prealloc 512
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 112, prealloc 512
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 248, prealloc 512
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 512, prealloc 512
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 768, prealloc 1024
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 1448, prealloc 1024
20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 65535, prealloc 128
20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "chunk-prealloc": 250
20/12/2015 -- 16:15:16 - <Info> - IP reputation disabled
20/12/2015 -- 16:15:16 - <Info> - Registered 106 keyword profiling counters.
20/12/2015 -- 16:15:16 - <Info> - using magic-file /usr/share/file/magic
20/12/2015 -- 16:15:16 - <Info> - Delayed detect disabled
20/12/2015 -- 16:15:17 - <Info> - 11 rule files processed. 6557 rules
successfully loaded, 0 rules failed
20/12/2015 -- 16:15:17 - <Info> - 6557 signatures processed. 30 are
IP-only rules, 3222 are inspecting packet payload, 4746 inspect
application layer, 0 are decoder event only
20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
stage 1: preprocessing rules... complete
20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
stage 2: building source address list... complete
20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
stage 3: building destination address lists... complete
20/12/2015 -- 16:15:18 - <Info> - Registered 6557 rule profiling counters.
20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
- can't suppress sid 2013028, gid 1: unknown rule
20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
- can't suppress sid 2006380, gid 1: unknown rule
20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
- can't suppress sid 2013504, gid 1: unknown rule
20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
- can't suppress sid 2012141, gid 1: unknown rule
20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
- can't suppress sid 2002878, gid 1: unknown rule
20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
- can't suppress sid 2002157, gid 1: unknown rule
20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
- can't suppress sid 2012648, gid 1: unknown rule
20/12/2015 -- 16:15:18 - <Info> - Threshold config parsed: 7 rule(s) found
20/12/2015 -- 16:15:18 - <Info> - Core dump size set to unlimited.
20/12/2015 -- 16:15:18 - <Info> - eve-log output device (regular)
initialized: eve.json
20/12/2015 -- 16:15:18 - <Info> - returning output_ctx 0x55f3b70
20/12/2015 -- 16:15:18 - <Info> - enabling 'eve-log' module 'alert'
20/12/2015 -- 16:15:18 - <Info> - Adding interface eth0 from config file
20/12/2015 -- 16:15:18 - <Info> - Adding interface eth1 from config file
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"management-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"receive-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"decode-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"stream-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"detect-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"verdict-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Using default prio 'high'
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"reject-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Using default prio 'low'
20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
"output-cpu-set"
20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING
(iface eth0)
20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 0
20/12/2015 -- 16:15:18 - <Info> - Setting prio 2 for "RxPFReth01" Module
to cpu/core 0, thread id 32120
20/12/2015 -- 16:15:18 - <Info> - (RxPFReth01) Using PF_RING v.6.1.1,
interface eth0, cluster-id 99
20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 1
20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth02" Module
to cpu/core 1, thread id 32154
20/12/2015 -- 16:15:18 - <Info> - (RxPFReth02) Using PF_RING v.6.1.1,
interface eth0, cluster-id 99
20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING
(iface eth1)
20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 2
20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth11" Module
to cpu/core 2, thread id 32186
20/12/2015 -- 16:15:18 - <Info> - (RxPFReth11) Using PF_RING v.6.1.1,
interface eth1, cluster-id 98
20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 3
20/12/2015 -- 16:15:18 - <Info> - Setting prio -2 for "RxPFReth12"
Module to cpu/core 3, thread id 32214
20/12/2015 -- 16:15:18 - <Info> - (RxPFReth12) Using PF_RING v.6.1.1,
interface eth1, cluster-id 98
20/12/2015 -- 16:15:18 - <Info> - RunModeIdsPfringWorkers initialised
20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "FlowManagerThread"
thread , thread id 32247
20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for
"SCPerfWakeupThread" thread , thread id 32248
20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfMgmtThread"
thread , thread id 32250
20/12/2015 -- 16:15:18 - <Notice> - all 4 packet processing threads, 3
management threads initialized, engine started.
Le 20/12/2015 16:11, Peter Manev a écrit :
> On Sun, Dec 20, 2015 at 2:43 PM, David Touzeau <david at articatech.com> wrote:
>>
>> Hi, all
>>
>> As you can see the main service consume 52.4% on a Intel Core i7 for about
>> less than 10MBS bandwidth.
>>
>> root 31283 52.4 9.6 455496 773264 ? SNsl 14:16 6:29
>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>> /var/run/suricata/suricata.pid --pfring -D
>>
>> root 31283 65.1 9.6 455496 773264 ? SNsl 14:16 12:06
>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>> /var/run/suricata/suricata.pid --pfring -D
>>
>> It there any tips to reduce this CPU consumption ?
>>
>> Configuration:
>> ####################################################################################
>> %YAML 1.1
>> ---
>>
>> runmode: workers
>> host-mode: auto
>> pid-file: /var/run/suricata.pid
>> default-log-dir: /var/log/suricata/
>> unix-command:
>> enabled: no
>>
>> outputs:
>>
>>
>> - fast:
>> enabled: no
>> filename: fast.log
>> append: yes
>>
>> - eve-log:
>> enabled: yes
>> type: file
>> filename: eve.json
>> types:
>> - alert
>> #- drop
>>
>>
>> - unified2-alert:
>> enabled: no
>> filename: unified2.alert
>> sensor-id: 0
>>
>> xff:
>> enabled: no
>> mode: extra-data
>> header: X-Forwarded-For
>>
>> - http-log:
>> enabled: no
>> filename: http.log
>> append: yes
>>
>>
>> - tls-log:
>> enabled: no
>> filename: tls.log # File to store TLS logs.
>> append: yes
>> certs-log-dir: certs
>>
>>
>> - dns-log:
>> enabled: no
>> filename: dns.log
>> append: yes
>>
>> - pcap-info:
>> enabled: no
>>
>> - pcap-log:
>> enabled: no
>> filename: log.pcap
>> limit: 1000mb
>> max-files: 2000
>>
>> mode: normal
>> use-stream-depth: no
>>
>> - alert-debug:
>> enabled: no
>> filename: alert-debug.log
>> append: yes
>> filetype: regular
>>
>> - alert-prelude:
>> enabled: no
>> profile: suricata
>> log-packet-content: no
>> log-packet-header: yes
>>
>> - stats:
>> enabled: yes
>> filename: stats.log
>> interval: 10
>>
>> - syslog:
>> enabled: no
>> identity: "suricata"
>> facility: local5
>>
>>
>> - drop:
>> enabled: no
>> filename: drop.log
>> append: yes
>> filetype: regular
>>
>> - file-store:
>> enabled: no # set to yes to enable
>> log-dir: files # directory to store the files
>> force-magic: no # force logging magic on all stored files
>> force-md5: no # force logging of md5 checksums
>>
>> - file-log:
>> enabled: no
>> filename: files-json.log
>> append: yes
>> filetype: regular
>> force-magic: yes
>> force-md5: yes
>>
>> magic-file: /usr/share/file/magic
>>
>> nfq:
>>
>>
>> nflog:
>> - group: 2
>> buffer-size: 18432
>> - group: default
>> qthreshold: 1
>> qtimeout: 100
>> max-size: 20000
>>
>>
>> af-packet:
>> - interface: eth1
>> threads: 1
>> cluster-id: 99
>> cluster-type: cluster_flow
>> defrag: yes
>> use-mmap: yes
>>
>> - interface: eth1
>> threads: 1
>> cluster-id: 98
>> cluster-type: cluster_flow
>> defrag: yes
>>
>> - interface: default
>>
>> legacy:
>> uricontent: enabled
>>
>> detect-engine:
>> - profile: medium
>> - custom-values:
>> toclient-src-groups: 2
>> toclient-dst-groups: 2
>> toclient-sp-groups: 2
>> toclient-dp-groups: 3
>> toserver-src-groups: 2
>> toserver-dst-groups: 4
>> toserver-sp-groups: 2
>> toserver-dp-groups: 25
>> - sgh-mpm-context: auto
>> - inspection-recursion-limit: 3000
>>
>> threading:
>> set-cpu-affinity: yes
>>
>> cpu-affinity:
>> - management-cpu-set:
>> cpu: [ "all" ]
>>
>> - receive-cpu-set:
>> cpu: [ 0 ] # include only these cpus in affinity settings
>>
>> - decode-cpu-set:
>> cpu: [ 0, 1 ]
>> mode: "balanced"
>>
>> - stream-cpu-set:
>> cpu: [ "0-1" ]
>>
>> - detect-cpu-set:
>> cpu: [ "all" ]
>> mode: "exclusive"
>> prio:
>> low: [ 0 ]
>> medium: [ "1-2" ]
>> high: [ 3 ]
>> default: "medium"
>>
>> - verdict-cpu-set:
>> cpu: [ 0 ]
>> prio:
>> default: "high"
>> - reject-cpu-set:
>> cpu: [ 0 ]
>> prio:
>> default: "low"
>> - output-cpu-set:
>> cpu: [ "all" ]
>> prio:
>> default: "medium"
>> #
>> detect-thread-ratio: 1.5
>>
>> # Cuda configuration.
>> cuda:
>> mpm:
>> data-buffer-size-min-limit: 0
>> data-buffer-size-max-limit: 1500
>> cudabuffer-buffer-size: 500mb
>> gpu-transfer-size: 50mb
>> batching-timeout: 2000
>> device-id: 0
>> cuda-streams: 2
>>
>> mpm-algo: ac
>>
>> pattern-matcher:
>> - b2gc:
>> search-algo: B2gSearchBNDMq
>> hash-size: low
>> bf-size: medium
>> - b2gm:
>> search-algo: B2gSearchBNDMq
>> hash-size: low
>> bf-size: medium
>> - b2g:
>> search-algo: B2gSearchBNDMq
>> hash-size: low
>> bf-size: medium
>> - b3g:
>> search-algo: B3gSearchBNDMq
>> hash-size: low
>> bf-size: medium
>> - wumanber:
>> hash-size: low
>> bf-size: medium
>>
>> # Defrag settings:
>>
>> defrag:
>> memcap: 32mb
>> hash-size: 65536
>> trackers: 65535 # number of defragmented flows to follow
>> max-frags: 65535 # number of fragments to keep (higher than trackers)
>> prealloc: yes
>> timeout: 60
>>
>>
>> flow:
>> memcap: 64mb
>> hash-size: 65536
>> prealloc: 10000
>> emergency-recovery: 30
>>
>> vlan:
>> use-for-tracking: true
>>
>>
>> flow-timeouts:
>>
>> default:
>> new: 30
>> established: 300
>> closed: 0
>> emergency-new: 10
>> emergency-established: 100
>> emergency-closed: 0
>> tcp:
>> new: 60
>> established: 3600
>> closed: 120
>> emergency-new: 10
>> emergency-established: 300
>> emergency-closed: 20
>> udp:
>> new: 30
>> established: 300
>> emergency-new: 10
>> emergency-established: 100
>> icmp:
>> new: 30
>> established: 300
>> emergency-new: 10
>> emergency-established: 100
>>
>> stream:
>> memcap: 32mb
>> checksum-validation: no # reject wrong csums
>> inline: auto # auto will use inline mode in IPS mode, yes
>> or no set it statically
>> reassembly:
>> memcap: 128mb
>> depth: 1mb # reassemble 1mb into a stream
>> toserver-chunk-size: 2560
>> toclient-chunk-size: 2560
>> randomize-chunk-size: yes
>>
>> host:
>> hash-size: 4096
>> prealloc: 1000
>> memcap: 16777216
>>
>> logging:
>>
>> default-log-level: notice
>> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
>> default-output-filter:
>>
>> outputs:
>> - console:
>> enabled: yes
>> - file:
>> enabled: yes
>> filename: /var/log/suricata.log
>> - syslog:
>> enabled: yes
>> facility: syslog
>> format: "[%i] <%d> -- "
>>
>>
>> mpipe:
>>
>> load-balance: dynamic
>> iqueue-packets: 2048
>> inputs:
>> - interface: xgbe2
>> - interface: xgbe3
>> - interface: xgbe4
>>
>>
>> stack:
>> size128: 0
>> size256: 9
>> size512: 0
>> size1024: 0
>> size1664: 7
>> size4096: 0
>> size10386: 0
>> size16384: 0
>>
>>
>> pfring:
>>
>> - interface: eth0
>> threads: 2
>> cluster-id: 99
>> cluster-type: cluster_flow
>>
>> - interface: eth1
>> threads: 2
>> cluster-id: 98
>> cluster-type: cluster_flow
>>
>>
>> default-rule-path: /etc/suricata/rules
>> rule-files:
>> - drop.rules
>> - dshield.rules
>> - emerging-activex.rules
>> - emerging-attack_response.rules
>> - emerging-malware.rules
>> - emerging-policy.rules
>> - emerging-scan.rules
>> - emerging-shellcode.rules
>> - emerging-trojan.rules
>> - emerging-web_client.rules
>> - emerging-worm.rules
>> - snort.rules
>>
>> classification-file: /etc/suricata/classification.config
>> reference-config-file: /etc/suricata/reference.config
>>
>> vars:
>> address-groups:
>> HOME_NET: "[192.168.1.0/24,10.10.1.0/24]"
>> EXTERNAL_NET: "!$HOME_NET"
>> HTTP_SERVERS: "$HOME_NET"
>> SMTP_SERVERS: "$HOME_NET"
>> SQL_SERVERS: "$HOME_NET"
>> DNS_SERVERS: "$HOME_NET"
>> TELNET_SERVERS: "$HOME_NET"
>> AIM_SERVERS: "$EXTERNAL_NET"
>> DNP3_SERVER: "$HOME_NET"
>> DNP3_CLIENT: "$HOME_NET"
>> MODBUS_CLIENT: "$HOME_NET"
>> MODBUS_SERVER: "$HOME_NET"
>> ENIP_CLIENT: "$HOME_NET"
>> ENIP_SERVER: "$HOME_NET"
>>
>> port-groups:
>> HTTP_PORTS: "80"
>> SHELLCODE_PORTS: "!80"
>> ORACLE_PORTS: 1521
>> SSH_PORTS: 22
>> DNP3_PORTS: 20000
>> FILE_DATA_PORTS: "[110,143]"
>>
>> action-order:
>> - pass
>> - drop
>> - reject
>> - alert
>>
>>
>> host-os-policy:
>> windows: [0.0.0.0/0]
>> bsd: []
>> bsd-right: []
>> old-linux: []
>> linux: [10.0.0.0/8, 192.168.1.100,
>> "8762:2352:6241:7245:E000:0000:0000:0000"]
>> old-solaris: []
>> solaris: ["::1"]
>> hpux10: []
>> hpux11: []
>> irix: []
>> macos: []
>> vista: []
>> windows2k3: []
>>
>>
>> asn1-max-frames: 256
>>
>> engine-analysis:
>> rules-fast-pattern: yes
>> rules: yes
>>
>> pcre:
>> match-limit: 3500
>> match-limit-recursion: 1500
>>
>> threshold-file: /etc/suricata/threshold.config
>>
>> app-layer:
>> protocols:
>> tls:
>> enabled: yes
>> detection-ports:
>> dp: 443
>> dcerpc:
>> enabled: yes
>> ftp:
>> enabled: yes
>> ssh:
>> enabled: yes
>> smtp:
>> enabled: yes
>> imap:
>> enabled: detection-only
>> msn:
>> enabled: detection-only
>> smb:
>> enabled: yes
>> detection-ports:
>> dp: 139
>> dns:
>>
>> tcp:
>> enabled: yes
>> detection-ports:
>> dp: 53
>> udp:
>> enabled: yes
>> detection-ports:
>> dp: 53
>> http:
>> enabled: yes
>>
>> libhtp:
>>
>> default-config:
>> personality: IDS
>> request-body-limit: 3072
>> response-body-limit: 3072
>> request-body-minimal-inspect-size: 32kb
>> request-body-inspect-window: 4kb
>> response-body-minimal-inspect-size: 32kb
>> response-body-inspect-window: 4kb
>> double-decode-path: no
>> double-decode-query: no
>>
>> server-config:
>>
>>
>> profiling:
>> rules:
>> enabled: yes
>> filename: rule_perf.log
>> append: yes
>> sort: avgticks
>> limit: 100
>>
>> keywords:
>> enabled: yes
>> filename: keyword_perf.log
>> append: yes
>>
>> packets:
>> enabled: yes
>> filename: packet_stats.log
>> append: yes
>>
>> csv:
>> enabled: no
>> filename: packet_stats.csv
>>
>> locks:
>> enabled: no
>> filename: lock_stats.log
>> append: yes
>> coredump:
>> max-dump: unlimited
>>
>> napatech:
>> hba: -1
>> use-all-streams: yes
>> streams: [1, 2, 3]
>>
>> ############################################################################################################
>>
>> Stats:
>> Date: 12/20/2015 -- 14:16:48
>> --------------------------------------------------------------------------
>> Num Rule Gid Rev Ticks % Checks Matches
>> Max Ticks Avg Ticks Avg Match Avg No Match
>> -------- ------------ -------- -------- ------------ ------ --------
>> -------- ----------- ----------- ----------- --------------
>> 1 2021621 1 6 2472462 0.00 6 0
>> 626418 412077.00 0.00 412077.00
>> 2 2021529 1 3 2690096101 0.55 9463 0
>> 4390290 284275.19 0.00 284275.19
>> 3 2018005 1 6 1262809391 0.26 10390 0
>> 14480148 121540.85 0.00 121540.85
>> 4 2021993 1 2 3446612 0.00 34 0
>> 158850 101370.94 0.00 101370.94
>> 5 2018637 1 2 12935952 0.00 129 0
>> 9942498 100278.70 0.00 100278.70
>> 6 24787 1 3 9454741704 1.93 124029 124014
>> 74818640 76230.09 0.00 630316113.60
>> 7 2021276 1 3 75600 0.00 1 0
>> 75600 75600.00 0.00 75600.00
>> 8 25043 1 2 78320311 0.02 1043 0
>> 7832052 75091.38 0.00 75091.38
>> 9 2018457 1 1 789052728 0.16 10603 0
>> 9742392 74417.87 0.00 74417.87
>> 10 2022078 1 2 5036420 0.00 74 0
>> 125892 68059.73 0.00 68059.73
>> 11 32413 1 2 10957828 0.00 199 0
>> 391374 55064.46 0.00 55064.46
>> 12 2018604 1 5 319594 0.00 6 0
>> 262260 53265.67 0.00 53265.67
>> 13 31371 1 6 188502 0.00 4 0
>> 76356 47125.50 0.00 47125.50
>> 14 16425 1 17 1408770 0.00 30 30
>> 56286 46959.00 46959.00 0.00
>> 15 2014376 1 3 229054 0.00 5 0
>> 63810 45810.80 0.00 45810.80
>> 16 17733 1 12 3675860 0.00 86 52
>> 74808 42742.56 49390.81 32574.65
>> 17 2012970 1 2 2264024 0.00 56 0
>> 89748 40429.00 0.00 40429.00
>> 18 24791 1 3 4794438838 0.98 124030 124016
>> 101016232 38655.48 0.00 342459917.00
>> 19 2012969 1 2 2750828 0.00 73 0
>> 239544 37682.58 0.00 37682.58
>> 20 32412 1 2 14092239 0.00 374 0
>> 151416 37679.78 0.00 37679.78
>> 21 23224 1 6 37494 0.00 1 0
>> 37494 37494.00 0.00 37494.00
>> 22 32387 1 1 70722 0.00 2 0
>> 69318 35361.00 0.00 35361.00
>> 23 2012981 1 3 70560 0.00 2 0
>> 37080 35280.00 0.00 35280.00
>> 24 2017816 1 4 4166644 0.00 120 0
>> 112896 34722.03 0.00 34722.03
>> 25 2020781 1 4 5879307 0.00 175 0
>> 249606 33596.04 0.00 33596.04
>> 26 2018403 1 8 997676 0.00 30 0
>> 46710 33255.87 0.00 33255.87
>> 27 30134 1 1 4061564568 0.83 124035 124026
>> 28903920 32745.31 0.00 451284952.00
>> 28 2018264 1 8 641252 0.00 20 0
>> 54720 32062.60 0.00 32062.60
>> 29 17394 1 12 507772 0.00 16 16
>> 61560 31735.75 31735.75 0.00
>> 30 21288 1 8 2745335 0.00 87 87
>> 71010 31555.57 31555.57 0.00
>> 31 2018121 1 4 943150 0.00 30 0
>> 56142 31438.33 0.00 31438.33
>> 32 2014090 1 6 250596 0.00 8 0
>> 65628 31324.50 0.00 31324.50
>> 33 2007650 1 4 45356295 0.01 1455 0
>> 4291452 31172.71 0.00 31172.71
>> 34 31276 1 2 61704 0.00 2 0
>> 31356 30852.00 0.00 30852.00
>> 35 15468 1 13 29292 0.00 1 0
>> 29292 29292.00 0.00 29292.00
>> 36 2018581 1 2 875904 0.00 30 0
>> 178812 29196.80 0.00 29196.80
>> 37 2020791 1 2 4920368 0.00 175 0
>> 225954 28116.39 0.00 28116.39
>> 38 2016029 1 3 824358 0.00 30 0
>> 36360 27478.60 0.00 27478.60
>> 39 2020029 1 2 327394 0.00 12 0
>> 47376 27282.83 0.00 27282.83
>> 40 2012328 1 5 135298 0.00 5 0
>> 33120 27059.60 0.00 27059.60
>> 41 31274 1 1 1687170 0.00 63 0
>> 155286 26780.48 0.00 26780.48
>> 42 2019083 1 2 3530338 0.00 133 0
>> 97164 26543.89 0.00 26543.89
>> 43 31279 1 1 52524 0.00 2 0
>> 26460 26262.00 0.00 26262.00
>> 44 2014634 1 1 1757602 0.00 68 0
>> 39690 25847.09 0.00 25847.09
>> 45 2018295 1 3 900796 0.00 36 0
>> 52560 25022.11 0.00 25022.11
>> 46 2021245 1 4 747988 0.00 30 0
>> 36090 24932.93 0.00 24932.93
>> 47 24651 1 4 49284 0.00 2 0
>> 24804 24642.00 0.00 24642.00
>> 48 2020763 1 2 3023974 0.00 123 0
>> 167220 24585.15 0.00 24585.15
>> 49 2020800 1 2 3333830 0.00 136 0
>> 87246 24513.46 0.00 24513.46
>> 50 2020614 1 2 3913592 0.00 160 0
>> 83772 24459.95 0.00 24459.95
>> 51 2020609 1 4 3111426 0.00 130 0
>> 89442 23934.05 0.00 23934.05
>> 52 2019141 1 3 568974 0.00 24 0
>> 28422 23707.25 0.00 23707.25
>> 53 2019602 1 1 3171882 0.00 134 0
>> 240822 23670.76 0.00 23670.76
>> 54 2003287 1 6 466520 0.00 20 0
>> 285516 23326.00 0.00 23326.00
>> 55 2016922 1 10 3230312 0.00 139 0
>> 91782 23239.65 0.00 23239.65
>> 56 2020611 1 3 4594070 0.00 198 0
>> 79056 23202.37 0.00 23202.37
>> 57 17380 1 15 991624 0.00 43 43
>> 59292 23061.02 23061.02 0.00
>> 58 2020960 1 2 685418 0.00 30 0
>> 30708 22847.27 0.00 22847.27
>> 59 2018057 1 3 3583156 0.00 159 0
>> 96030 22535.57 0.00 22535.57
>> 60 2008782 1 5 2748390 0.00 122 0
>> 69048 22527.79 0.00 22527.79
>> 61 2020782 1 2 3130320 0.00 139 0
>> 88110 22520.29 0.00 22520.29
>> 62 2020613 1 3 3356494 0.00 150 0
>> 82350 22376.63 0.00 22376.63
>> 63 2020769 1 2 2636396 0.00 118 0
>> 86958 22342.34 0.00 22342.34
>> 64 2020586 1 3 2700166 0.00 122 0
>> 90774 22132.51 0.00 22132.51
>> 65 2020693 1 1 3049757 0.00 138 0
>> 199368 22099.69 0.00 22099.69
>> 66 2020799 1 2 3818200 0.00 173 0
>> 120798 22070.52 0.00 22070.52
>> 67 2006380 1 12 1300862 0.00 59 59
>> 33912 22048.51 22048.51 0.00
>> 68 2020786 1 2 3212030 0.00 146 0
>> 101574 22000.21 0.00 22000.21
>> 69 2017915 1 2 3046598 0.00 140 0
>> 117576 21761.41 0.00 21761.41
>> 70 2018880 1 2 3366284 0.00 155 0
>> 94104 21717.96 0.00 21717.96
>> 71 2020765 1 2 2808816 0.00 130 0
>> 209520 21606.28 0.00 21606.28
>> 72 2020784 1 2 2741601 0.00 127 0
>> 95958 21587.41 0.00 21587.41
>> 73 29189 1 1 1032558 0.00 48 0
>> 33894 21511.62 0.00 21511.62
>> 74 2020612 1 3 2967752 0.00 138 0
>> 89262 21505.45 0.00 21505.45
>> 75 2020773 1 2 3074056 0.00 144 0
>> 83952 21347.61 0.00 21347.61
>> 76 2017263 1 2 127458 0.00 6 0
>> 23652 21243.00 0.00 21243.00
>> 77 2018638 1 2 2883696 0.00 136 0
>> 85752 21203.65 0.00 21203.65
>> 78 2020766 1 2 2509209 0.00 119 0
>> 211302 21085.79 0.00 21085.79
>> 79 2018166 1 3 2357794 0.00 112 0
>> 87714 21051.73 0.00 21051.73
>> 80 2020795 1 2 2384326 0.00 114 0
>> 84744 20915.14 0.00 20915.14
>> 81 2020777 1 2 2078802 0.00 100 0
>> 78840 20788.02 0.00 20788.02
>> 82 2002878 1 8 41562 0.00 2 2
>> 22698 20781.00 20781.00 0.00
>> 83 2020798 1 2 2462538 0.00 119 0
>> 81666 20693.60 0.00 20693.60
>> 84 2021520 1 2 123524 0.00 6 0
>> 27738 20587.33 0.00 20587.33
>> 85 2017191 1 3 20466 0.00 1 0
>> 20466 20466.00 0.00 20466.00
>> 86 2017707 1 1 3006623 0.00 147 0
>> 101628 20453.22 0.00 20453.22
>> 87 2020606 1 4 3149168 0.00 154 0
>> 199062 20449.14 0.00 20449.14
>> 88 32986 1 1 81696 0.00 4 0
>> 30438 20424.00 0.00 20424.00
>> 89 2020793 1 2 2587716 0.00 127 0
>> 221544 20375.72 0.00 20375.72
>> 90 2020783 1 2 2678856 0.00 133 0
>> 95346 20141.77 0.00 20141.77
>> 91 2018153 1 4 1965170 0.00 98 0
>> 81612 20052.76 0.00 20052.76
>> 92 2020780 1 2 2449289 0.00 123 0
>> 94428 19912.92 0.00 19912.92
>> 93 2021065 1 2 2663188 0.00 134 0
>> 205596 19874.54 0.00 19874.54
>> 94 2020764 1 2 2873784 0.00 145 0
>> 80622 19819.20 0.00 19819.20
>> 95 2020694 1 1 2533778 0.00 128 0
>> 89424 19795.14 0.00 19795.14
>> 96 32396 1 2 39582 0.00 2 0
>> 22158 19791.00 0.00 19791.00
>> 97 2020770 1 2 2354850 0.00 119 0
>> 95760 19788.66 0.00 19788.66
>> 98 2016567 1 6 19674 0.00 1 0
>> 19674 19674.00 0.00 19674.00
>> 99 2021381 1 7 1075986 0.00 55 4
>> 62748 19563.38 59044.50 16466.82
>> 100 2020691 1 1 2385889 0.00 123 0
>> 96552 19397.47 0.00 19397.47
>>
>> ############################################################################################################
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
> Can you please post your suricata.log using pastebin or alike?
> Please add "-v" to your start line.
>
> What is the output of -
> modinfo pf_ring && cat /proc/net/pf_ring/info
> ?
>
> Thank you
>
>
>
More information about the Oisf-users
mailing list