[Oisf-users] Suricata consume more than 50% CPU
Peter Manev
petermanev at gmail.com
Sun Dec 20 15:37:35 UTC 2015
On Sun, Dec 20, 2015 at 4:17 PM, David Touzeau <david at articatech.com> wrote:
> Thanks Peter, here the requested informations:
>
> PF_RING:
>
> modinfo pf_ring && cat /proc/net/pf_ring/info
> filename: /lib/modules/3.2.0-4-amd64/kernel/net/pf_ring/pf_ring.ko
> alias: net-pf-27
> description: Packet capture acceleration and analysis
> author: ntop.org
> license: GPL
> depends:
> vermagic: 3.2.0-4-amd64 SMP mod_unload modversions
> parm: min_num_slots:Min number of ring slots (uint)
> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
> parm: transparent_mode:(deprecated) (uint)
> parm: enable_debug:Set to 1 to enable PF_RING debug tracing into
> the syslog (uint)
> parm: enable_tx_capture:Set to 1 to capture outgoing packets
> (uint)
> parm: enable_frag_coherence:Set to 1 to handle fragments (flow
> coherence) in clusters (uint)
> parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only
> rx traffic is defragmentead) (uint)
> parm: quick_mode:Set to 1 to run at full speed but with upto one
> socket per interface (uint)
> PF_RING Version : 6.1.1
> (dev:03645d72194bf671201728c1e947f365883935c7)
> Total rings : 4
>
> Standard (non DNA/ZC) Options
> Ring slots : 65534
> Slot version : 16
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Total plugins : 0
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
>
>
>
> Here it is the start in verbose:
>
>
> 20/12/2015 -- 16:15:16 - <Notice> - This is Suricata version 2.0.10 RELEASE
> 20/12/2015 -- 16:15:16 - <Info> - CPUs/cores online: 4
> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
> 'request-body-minimal-inspect-size' set to 33882 and
> 'request-body-inspect-window' set to 4053 after randomization.
> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
> 'response-body-minimal-inspect-size' set to 33695 and
> 'response-body-inspect-window' set to 4218 after randomization.
> 20/12/2015 -- 16:15:16 - <Info> - DNS request flood protection level: 500
> 20/12/2015 -- 16:15:16 - <Info> - DNS per flow memcap (state-memcap): 524288
> 20/12/2015 -- 16:15:16 - <Info> - DNS global memcap: 16777216
> 20/12/2015 -- 16:15:16 - <Info> - allocated 3670016 bytes of memory for the
> defrag hash... 65536 buckets of size 56
> 20/12/2015 -- 16:15:16 - <Info> - preallocated 65535 defrag trackers of size
> 168
> 20/12/2015 -- 16:15:16 - <Info> - defrag memory usage: 14679896 bytes,
> maximum: 33554432
> 20/12/2015 -- 16:15:16 - <Info> - AutoFP mode using default "Active Packets"
> flow load balancer
> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1024 packets. Total memory
> 3573760
> 20/12/2015 -- 16:15:16 - <Info> - allocated 262144 bytes of memory for the
> host hash... 4096 buckets of size 64
> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1000 hosts of size 112
> 20/12/2015 -- 16:15:16 - <Info> - host memory usage: 390144 bytes, maximum:
> 16777216
> 20/12/2015 -- 16:15:16 - <Info> - allocated 4194304 bytes of memory for the
> flow hash... 65536 buckets of size 64
> 20/12/2015 -- 16:15:16 - <Info> - preallocated 10000 flows of size 280
> 20/12/2015 -- 16:15:16 - <Info> - flow memory usage: 7074304 bytes, maximum:
> 67108864
> 20/12/2015 -- 16:15:16 - <Info> - stream "prealloc-sessions": 2048 (per
> thread)
> 20/12/2015 -- 16:15:16 - <Info> - stream "memcap": 33554432
> 20/12/2015 -- 16:15:16 - <Info> - stream "midstream" session pickups:
> disabled
> 20/12/2015 -- 16:15:16 - <Info> - stream "async-oneside": disabled
> 20/12/2015 -- 16:15:16 - <Info> - stream "checksum-validation": disabled
> 20/12/2015 -- 16:15:16 - <Info> - stream."inline": disabled
> 20/12/2015 -- 16:15:16 - <Info> - stream "max-synack-queued": 5
> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "memcap": 134217728
> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "depth": 1048576
> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "toserver-chunk-size":
> 2587
> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "toclient-chunk-size":
> 2593
> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly.raw: enabled
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 4, prealloc 256
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 16, prealloc 512
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 112, prealloc 512
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 248, prealloc 512
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 512, prealloc 512
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 768, prealloc 1024
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 1448, prealloc 1024
> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 65535, prealloc 128
> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "chunk-prealloc": 250
> 20/12/2015 -- 16:15:16 - <Info> - IP reputation disabled
> 20/12/2015 -- 16:15:16 - <Info> - Registered 106 keyword profiling counters.
> 20/12/2015 -- 16:15:16 - <Info> - using magic-file /usr/share/file/magic
> 20/12/2015 -- 16:15:16 - <Info> - Delayed detect disabled
> 20/12/2015 -- 16:15:17 - <Info> - 11 rule files processed. 6557 rules
> successfully loaded, 0 rules failed
> 20/12/2015 -- 16:15:17 - <Info> - 6557 signatures processed. 30 are IP-only
> rules, 3222 are inspecting packet payload, 4746 inspect application layer, 0
> are decoder event only
> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
> stage 1: preprocessing rules... complete
> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> 20/12/2015 -- 16:15:18 - <Info> - Registered 6557 rule profiling counters.
> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
> can't suppress sid 2013028, gid 1: unknown rule
> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
> can't suppress sid 2006380, gid 1: unknown rule
> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
> can't suppress sid 2013504, gid 1: unknown rule
> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
> can't suppress sid 2012141, gid 1: unknown rule
> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
> can't suppress sid 2002878, gid 1: unknown rule
> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
> can't suppress sid 2002157, gid 1: unknown rule
> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
> can't suppress sid 2012648, gid 1: unknown rule
> 20/12/2015 -- 16:15:18 - <Info> - Threshold config parsed: 7 rule(s) found
> 20/12/2015 -- 16:15:18 - <Info> - Core dump size set to unlimited.
> 20/12/2015 -- 16:15:18 - <Info> - eve-log output device (regular)
> initialized: eve.json
> 20/12/2015 -- 16:15:18 - <Info> - returning output_ctx 0x55f3b70
> 20/12/2015 -- 16:15:18 - <Info> - enabling 'eve-log' module 'alert'
> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth0 from config file
> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth1 from config file
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "management-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "receive-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "decode-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "stream-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "detect-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "verdict-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'high'
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "reject-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'low'
> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
> "output-cpu-set"
> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING (iface
> eth0)
> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 0
> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 2 for "RxPFReth01" Module to
> cpu/core 0, thread id 32120
> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth01) Using PF_RING v.6.1.1,
> interface eth0, cluster-id 99
> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 1
> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth02" Module to
> cpu/core 1, thread id 32154
> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth02) Using PF_RING v.6.1.1,
> interface eth0, cluster-id 99
> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING (iface
> eth1)
> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 2
> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth11" Module to
> cpu/core 2, thread id 32186
> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth11) Using PF_RING v.6.1.1,
> interface eth1, cluster-id 98
> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 3
> 20/12/2015 -- 16:15:18 - <Info> - Setting prio -2 for "RxPFReth12" Module to
> cpu/core 3, thread id 32214
> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth12) Using PF_RING v.6.1.1,
> interface eth1, cluster-id 98
> 20/12/2015 -- 16:15:18 - <Info> - RunModeIdsPfringWorkers initialised
> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "FlowManagerThread"
> thread , thread id 32247
> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfWakeupThread"
> thread , thread id 32248
> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfMgmtThread"
> thread , thread id 32250
> 20/12/2015 -- 16:15:18 - <Notice> - all 4 packet processing threads, 3
> management threads initialized, engine started.
>
>
> Le 20/12/2015 16:11, Peter Manev a écrit :
>>
>> On Sun, Dec 20, 2015 at 2:43 PM, David Touzeau <david at articatech.com>
>> wrote:
>>>
>>>
>>> Hi, all
>>>
>>> As you can see the main service consume 52.4% on a Intel Core i7 for
>>> about
>>> less than 10MBS bandwidth.
>>>
>>> root 31283 52.4 9.6 455496 773264 ? SNsl 14:16 6:29
>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>> /var/run/suricata/suricata.pid --pfring -D
>>>
>>> root 31283 65.1 9.6 455496 773264 ? SNsl 14:16 12:06
>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>> /var/run/suricata/suricata.pid --pfring -D
>>>
>>> It there any tips to reduce this CPU consumption ?
>>>
>>> Configuration:
>>>
>>> ####################################################################################
>>> %YAML 1.1
>>> ---
>>>
>>> runmode: workers
>>> host-mode: auto
>>> pid-file: /var/run/suricata.pid
>>> default-log-dir: /var/log/suricata/
>>> unix-command:
>>> enabled: no
>>>
>>> outputs:
>>>
>>>
>>> - fast:
>>> enabled: no
>>> filename: fast.log
>>> append: yes
>>>
>>> - eve-log:
>>> enabled: yes
>>> type: file
>>> filename: eve.json
>>> types:
>>> - alert
>>> #- drop
>>>
>>>
>>> - unified2-alert:
>>> enabled: no
>>> filename: unified2.alert
>>> sensor-id: 0
>>>
>>> xff:
>>> enabled: no
>>> mode: extra-data
>>> header: X-Forwarded-For
>>>
>>> - http-log:
>>> enabled: no
>>> filename: http.log
>>> append: yes
>>>
>>>
>>> - tls-log:
>>> enabled: no
>>> filename: tls.log # File to store TLS logs.
>>> append: yes
>>> certs-log-dir: certs
>>>
>>>
>>> - dns-log:
>>> enabled: no
>>> filename: dns.log
>>> append: yes
>>>
>>> - pcap-info:
>>> enabled: no
>>>
>>> - pcap-log:
>>> enabled: no
>>> filename: log.pcap
>>> limit: 1000mb
>>> max-files: 2000
>>>
>>> mode: normal
>>> use-stream-depth: no
>>>
>>> - alert-debug:
>>> enabled: no
>>> filename: alert-debug.log
>>> append: yes
>>> filetype: regular
>>>
>>> - alert-prelude:
>>> enabled: no
>>> profile: suricata
>>> log-packet-content: no
>>> log-packet-header: yes
>>>
>>> - stats:
>>> enabled: yes
>>> filename: stats.log
>>> interval: 10
>>>
>>> - syslog:
>>> enabled: no
>>> identity: "suricata"
>>> facility: local5
>>>
>>>
>>> - drop:
>>> enabled: no
>>> filename: drop.log
>>> append: yes
>>> filetype: regular
>>>
>>> - file-store:
>>> enabled: no # set to yes to enable
>>> log-dir: files # directory to store the files
>>> force-magic: no # force logging magic on all stored files
>>> force-md5: no # force logging of md5 checksums
>>>
>>> - file-log:
>>> enabled: no
>>> filename: files-json.log
>>> append: yes
>>> filetype: regular
>>> force-magic: yes
>>> force-md5: yes
>>>
>>> magic-file: /usr/share/file/magic
>>>
>>> nfq:
>>>
>>>
>>> nflog:
>>> - group: 2
>>> buffer-size: 18432
>>> - group: default
>>> qthreshold: 1
>>> qtimeout: 100
>>> max-size: 20000
>>>
>>>
>>> af-packet:
>>> - interface: eth1
>>> threads: 1
>>> cluster-id: 99
>>> cluster-type: cluster_flow
>>> defrag: yes
>>> use-mmap: yes
>>>
>>> - interface: eth1
>>> threads: 1
>>> cluster-id: 98
>>> cluster-type: cluster_flow
>>> defrag: yes
>>>
>>> - interface: default
>>>
>>> legacy:
>>> uricontent: enabled
>>>
>>> detect-engine:
>>> - profile: medium
>>> - custom-values:
>>> toclient-src-groups: 2
>>> toclient-dst-groups: 2
>>> toclient-sp-groups: 2
>>> toclient-dp-groups: 3
>>> toserver-src-groups: 2
>>> toserver-dst-groups: 4
>>> toserver-sp-groups: 2
>>> toserver-dp-groups: 25
>>> - sgh-mpm-context: auto
>>> - inspection-recursion-limit: 3000
>>>
>>> threading:
>>> set-cpu-affinity: yes
>>>
>>> cpu-affinity:
>>> - management-cpu-set:
>>> cpu: [ "all" ]
>>>
>>> - receive-cpu-set:
>>> cpu: [ 0 ] # include only these cpus in affinity settings
>>>
>>> - decode-cpu-set:
>>> cpu: [ 0, 1 ]
>>> mode: "balanced"
>>>
>>> - stream-cpu-set:
>>> cpu: [ "0-1" ]
>>>
>>> - detect-cpu-set:
>>> cpu: [ "all" ]
>>> mode: "exclusive"
>>> prio:
>>> low: [ 0 ]
>>> medium: [ "1-2" ]
>>> high: [ 3 ]
>>> default: "medium"
>>>
>>> - verdict-cpu-set:
>>> cpu: [ 0 ]
>>> prio:
>>> default: "high"
>>> - reject-cpu-set:
>>> cpu: [ 0 ]
>>> prio:
>>> default: "low"
>>> - output-cpu-set:
>>> cpu: [ "all" ]
>>> prio:
>>> default: "medium"
>>> #
>>> detect-thread-ratio: 1.5
>>>
>>> # Cuda configuration.
>>> cuda:
>>> mpm:
>>> data-buffer-size-min-limit: 0
>>> data-buffer-size-max-limit: 1500
>>> cudabuffer-buffer-size: 500mb
>>> gpu-transfer-size: 50mb
>>> batching-timeout: 2000
>>> device-id: 0
>>> cuda-streams: 2
>>>
>>> mpm-algo: ac
>>>
>>> pattern-matcher:
>>> - b2gc:
>>> search-algo: B2gSearchBNDMq
>>> hash-size: low
>>> bf-size: medium
>>> - b2gm:
>>> search-algo: B2gSearchBNDMq
>>> hash-size: low
>>> bf-size: medium
>>> - b2g:
>>> search-algo: B2gSearchBNDMq
>>> hash-size: low
>>> bf-size: medium
>>> - b3g:
>>> search-algo: B3gSearchBNDMq
>>> hash-size: low
>>> bf-size: medium
>>> - wumanber:
>>> hash-size: low
>>> bf-size: medium
>>>
>>> # Defrag settings:
>>>
>>> defrag:
>>> memcap: 32mb
>>> hash-size: 65536
>>> trackers: 65535 # number of defragmented flows to follow
>>> max-frags: 65535 # number of fragments to keep (higher than trackers)
>>> prealloc: yes
>>> timeout: 60
>>>
>>>
>>> flow:
>>> memcap: 64mb
>>> hash-size: 65536
>>> prealloc: 10000
>>> emergency-recovery: 30
>>>
>>> vlan:
>>> use-for-tracking: true
>>>
>>>
>>> flow-timeouts:
>>>
>>> default:
>>> new: 30
>>> established: 300
>>> closed: 0
>>> emergency-new: 10
>>> emergency-established: 100
>>> emergency-closed: 0
>>> tcp:
>>> new: 60
>>> established: 3600
>>> closed: 120
>>> emergency-new: 10
>>> emergency-established: 300
>>> emergency-closed: 20
>>> udp:
>>> new: 30
>>> established: 300
>>> emergency-new: 10
>>> emergency-established: 100
>>> icmp:
>>> new: 30
>>> established: 300
>>> emergency-new: 10
>>> emergency-established: 100
>>>
>>> stream:
>>> memcap: 32mb
>>> checksum-validation: no # reject wrong csums
>>> inline: auto # auto will use inline mode in IPS mode,
>>> yes
>>> or no set it statically
>>> reassembly:
>>> memcap: 128mb
>>> depth: 1mb # reassemble 1mb into a stream
>>> toserver-chunk-size: 2560
>>> toclient-chunk-size: 2560
>>> randomize-chunk-size: yes
>>>
>>> host:
>>> hash-size: 4096
>>> prealloc: 1000
>>> memcap: 16777216
>>>
>>> logging:
>>>
>>> default-log-level: notice
>>> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
>>> default-output-filter:
>>>
>>> outputs:
>>> - console:
>>> enabled: yes
>>> - file:
>>> enabled: yes
>>> filename: /var/log/suricata.log
>>> - syslog:
>>> enabled: yes
>>> facility: syslog
>>> format: "[%i] <%d> -- "
>>>
>>>
>>> mpipe:
>>>
>>> load-balance: dynamic
>>> iqueue-packets: 2048
>>> inputs:
>>> - interface: xgbe2
>>> - interface: xgbe3
>>> - interface: xgbe4
>>>
>>>
>>> stack:
>>> size128: 0
>>> size256: 9
>>> size512: 0
>>> size1024: 0
>>> size1664: 7
>>> size4096: 0
>>> size10386: 0
>>> size16384: 0
>>>
>>>
>>> pfring:
>>>
>>> - interface: eth0
>>> threads: 2
>>> cluster-id: 99
>>> cluster-type: cluster_flow
>>>
>>> - interface: eth1
>>> threads: 2
>>> cluster-id: 98
>>> cluster-type: cluster_flow
>>>
>>>
>>> default-rule-path: /etc/suricata/rules
>>> rule-files:
>>> - drop.rules
>>> - dshield.rules
>>> - emerging-activex.rules
>>> - emerging-attack_response.rules
>>> - emerging-malware.rules
>>> - emerging-policy.rules
>>> - emerging-scan.rules
>>> - emerging-shellcode.rules
>>> - emerging-trojan.rules
>>> - emerging-web_client.rules
>>> - emerging-worm.rules
>>> - snort.rules
>>>
>>> classification-file: /etc/suricata/classification.config
>>> reference-config-file: /etc/suricata/reference.config
>>>
>>> vars:
>>> address-groups:
>>> HOME_NET: "[192.168.1.0/24,10.10.1.0/24]"
>>> EXTERNAL_NET: "!$HOME_NET"
>>> HTTP_SERVERS: "$HOME_NET"
>>> SMTP_SERVERS: "$HOME_NET"
>>> SQL_SERVERS: "$HOME_NET"
>>> DNS_SERVERS: "$HOME_NET"
>>> TELNET_SERVERS: "$HOME_NET"
>>> AIM_SERVERS: "$EXTERNAL_NET"
>>> DNP3_SERVER: "$HOME_NET"
>>> DNP3_CLIENT: "$HOME_NET"
>>> MODBUS_CLIENT: "$HOME_NET"
>>> MODBUS_SERVER: "$HOME_NET"
>>> ENIP_CLIENT: "$HOME_NET"
>>> ENIP_SERVER: "$HOME_NET"
>>>
>>> port-groups:
>>> HTTP_PORTS: "80"
>>> SHELLCODE_PORTS: "!80"
>>> ORACLE_PORTS: 1521
>>> SSH_PORTS: 22
>>> DNP3_PORTS: 20000
>>> FILE_DATA_PORTS: "[110,143]"
>>>
>>> action-order:
>>> - pass
>>> - drop
>>> - reject
>>> - alert
>>>
>>>
>>> host-os-policy:
>>> windows: [0.0.0.0/0]
>>> bsd: []
>>> bsd-right: []
>>> old-linux: []
>>> linux: [10.0.0.0/8, 192.168.1.100,
>>> "8762:2352:6241:7245:E000:0000:0000:0000"]
>>> old-solaris: []
>>> solaris: ["::1"]
>>> hpux10: []
>>> hpux11: []
>>> irix: []
>>> macos: []
>>> vista: []
>>> windows2k3: []
>>>
>>>
>>> asn1-max-frames: 256
>>>
>>> engine-analysis:
>>> rules-fast-pattern: yes
>>> rules: yes
>>>
>>> pcre:
>>> match-limit: 3500
>>> match-limit-recursion: 1500
>>>
>>> threshold-file: /etc/suricata/threshold.config
>>>
>>> app-layer:
>>> protocols:
>>> tls:
>>> enabled: yes
>>> detection-ports:
>>> dp: 443
>>> dcerpc:
>>> enabled: yes
>>> ftp:
>>> enabled: yes
>>> ssh:
>>> enabled: yes
>>> smtp:
>>> enabled: yes
>>> imap:
>>> enabled: detection-only
>>> msn:
>>> enabled: detection-only
>>> smb:
>>> enabled: yes
>>> detection-ports:
>>> dp: 139
>>> dns:
>>>
>>> tcp:
>>> enabled: yes
>>> detection-ports:
>>> dp: 53
>>> udp:
>>> enabled: yes
>>> detection-ports:
>>> dp: 53
>>> http:
>>> enabled: yes
>>>
>>> libhtp:
>>>
>>> default-config:
>>> personality: IDS
>>> request-body-limit: 3072
>>> response-body-limit: 3072
>>> request-body-minimal-inspect-size: 32kb
>>> request-body-inspect-window: 4kb
>>> response-body-minimal-inspect-size: 32kb
>>> response-body-inspect-window: 4kb
>>> double-decode-path: no
>>> double-decode-query: no
>>>
>>> server-config:
>>>
>>>
>>> profiling:
>>> rules:
>>> enabled: yes
>>> filename: rule_perf.log
>>> append: yes
>>> sort: avgticks
>>> limit: 100
>>>
>>> keywords:
>>> enabled: yes
>>> filename: keyword_perf.log
>>> append: yes
>>>
>>> packets:
>>> enabled: yes
>>> filename: packet_stats.log
>>> append: yes
>>>
>>> csv:
>>> enabled: no
>>> filename: packet_stats.csv
>>>
>>> locks:
>>> enabled: no
>>> filename: lock_stats.log
>>> append: yes
>>> coredump:
>>> max-dump: unlimited
>>>
>>> napatech:
>>> hba: -1
>>> use-all-streams: yes
>>> streams: [1, 2, 3]
>>>
>>>
>>> ############################################################################################################
>>>
>>> Stats:
>>> Date: 12/20/2015 -- 14:16:48
>>>
>>> --------------------------------------------------------------------------
>>> Num Rule Gid Rev Ticks % Checks
>>> Matches
>>> Max Ticks Avg Ticks Avg Match Avg No Match
>>> -------- ------------ -------- -------- ------------ ------ --------
>>> -------- ----------- ----------- ----------- --------------
>>> 1 2021621 1 6 2472462 0.00 6 0
>>> 626418 412077.00 0.00 412077.00
>>> 2 2021529 1 3 2690096101 0.55 9463 0
>>> 4390290 284275.19 0.00 284275.19
>>> 3 2018005 1 6 1262809391 0.26 10390 0
>>> 14480148 121540.85 0.00 121540.85
>>> 4 2021993 1 2 3446612 0.00 34 0
>>> 158850 101370.94 0.00 101370.94
>>> 5 2018637 1 2 12935952 0.00 129 0
>>> 9942498 100278.70 0.00 100278.70
>>> 6 24787 1 3 9454741704 1.93 124029
>>> 124014
>>> 74818640 76230.09 0.00 630316113.60
>>> 7 2021276 1 3 75600 0.00 1 0
>>> 75600 75600.00 0.00 75600.00
>>> 8 25043 1 2 78320311 0.02 1043 0
>>> 7832052 75091.38 0.00 75091.38
>>> 9 2018457 1 1 789052728 0.16 10603 0
>>> 9742392 74417.87 0.00 74417.87
>>> 10 2022078 1 2 5036420 0.00 74 0
>>> 125892 68059.73 0.00 68059.73
>>> 11 32413 1 2 10957828 0.00 199 0
>>> 391374 55064.46 0.00 55064.46
>>> 12 2018604 1 5 319594 0.00 6 0
>>> 262260 53265.67 0.00 53265.67
>>> 13 31371 1 6 188502 0.00 4 0
>>> 76356 47125.50 0.00 47125.50
>>> 14 16425 1 17 1408770 0.00 30 30
>>> 56286 46959.00 46959.00 0.00
>>> 15 2014376 1 3 229054 0.00 5 0
>>> 63810 45810.80 0.00 45810.80
>>> 16 17733 1 12 3675860 0.00 86 52
>>> 74808 42742.56 49390.81 32574.65
>>> 17 2012970 1 2 2264024 0.00 56 0
>>> 89748 40429.00 0.00 40429.00
>>> 18 24791 1 3 4794438838 0.98 124030
>>> 124016
>>> 101016232 38655.48 0.00 342459917.00
>>> 19 2012969 1 2 2750828 0.00 73 0
>>> 239544 37682.58 0.00 37682.58
>>> 20 32412 1 2 14092239 0.00 374 0
>>> 151416 37679.78 0.00 37679.78
>>> 21 23224 1 6 37494 0.00 1 0
>>> 37494 37494.00 0.00 37494.00
>>> 22 32387 1 1 70722 0.00 2 0
>>> 69318 35361.00 0.00 35361.00
>>> 23 2012981 1 3 70560 0.00 2 0
>>> 37080 35280.00 0.00 35280.00
>>> 24 2017816 1 4 4166644 0.00 120 0
>>> 112896 34722.03 0.00 34722.03
>>> 25 2020781 1 4 5879307 0.00 175 0
>>> 249606 33596.04 0.00 33596.04
>>> 26 2018403 1 8 997676 0.00 30 0
>>> 46710 33255.87 0.00 33255.87
>>> 27 30134 1 1 4061564568 0.83 124035
>>> 124026
>>> 28903920 32745.31 0.00 451284952.00
>>> 28 2018264 1 8 641252 0.00 20 0
>>> 54720 32062.60 0.00 32062.60
>>> 29 17394 1 12 507772 0.00 16 16
>>> 61560 31735.75 31735.75 0.00
>>> 30 21288 1 8 2745335 0.00 87 87
>>> 71010 31555.57 31555.57 0.00
>>> 31 2018121 1 4 943150 0.00 30 0
>>> 56142 31438.33 0.00 31438.33
>>> 32 2014090 1 6 250596 0.00 8 0
>>> 65628 31324.50 0.00 31324.50
>>> 33 2007650 1 4 45356295 0.01 1455 0
>>> 4291452 31172.71 0.00 31172.71
>>> 34 31276 1 2 61704 0.00 2 0
>>> 31356 30852.00 0.00 30852.00
>>> 35 15468 1 13 29292 0.00 1 0
>>> 29292 29292.00 0.00 29292.00
>>> 36 2018581 1 2 875904 0.00 30 0
>>> 178812 29196.80 0.00 29196.80
>>> 37 2020791 1 2 4920368 0.00 175 0
>>> 225954 28116.39 0.00 28116.39
>>> 38 2016029 1 3 824358 0.00 30 0
>>> 36360 27478.60 0.00 27478.60
>>> 39 2020029 1 2 327394 0.00 12 0
>>> 47376 27282.83 0.00 27282.83
>>> 40 2012328 1 5 135298 0.00 5 0
>>> 33120 27059.60 0.00 27059.60
>>> 41 31274 1 1 1687170 0.00 63 0
>>> 155286 26780.48 0.00 26780.48
>>> 42 2019083 1 2 3530338 0.00 133 0
>>> 97164 26543.89 0.00 26543.89
>>> 43 31279 1 1 52524 0.00 2 0
>>> 26460 26262.00 0.00 26262.00
>>> 44 2014634 1 1 1757602 0.00 68 0
>>> 39690 25847.09 0.00 25847.09
>>> 45 2018295 1 3 900796 0.00 36 0
>>> 52560 25022.11 0.00 25022.11
>>> 46 2021245 1 4 747988 0.00 30 0
>>> 36090 24932.93 0.00 24932.93
>>> 47 24651 1 4 49284 0.00 2 0
>>> 24804 24642.00 0.00 24642.00
>>> 48 2020763 1 2 3023974 0.00 123 0
>>> 167220 24585.15 0.00 24585.15
>>> 49 2020800 1 2 3333830 0.00 136 0
>>> 87246 24513.46 0.00 24513.46
>>> 50 2020614 1 2 3913592 0.00 160 0
>>> 83772 24459.95 0.00 24459.95
>>> 51 2020609 1 4 3111426 0.00 130 0
>>> 89442 23934.05 0.00 23934.05
>>> 52 2019141 1 3 568974 0.00 24 0
>>> 28422 23707.25 0.00 23707.25
>>> 53 2019602 1 1 3171882 0.00 134 0
>>> 240822 23670.76 0.00 23670.76
>>> 54 2003287 1 6 466520 0.00 20 0
>>> 285516 23326.00 0.00 23326.00
>>> 55 2016922 1 10 3230312 0.00 139 0
>>> 91782 23239.65 0.00 23239.65
>>> 56 2020611 1 3 4594070 0.00 198 0
>>> 79056 23202.37 0.00 23202.37
>>> 57 17380 1 15 991624 0.00 43 43
>>> 59292 23061.02 23061.02 0.00
>>> 58 2020960 1 2 685418 0.00 30 0
>>> 30708 22847.27 0.00 22847.27
>>> 59 2018057 1 3 3583156 0.00 159 0
>>> 96030 22535.57 0.00 22535.57
>>> 60 2008782 1 5 2748390 0.00 122 0
>>> 69048 22527.79 0.00 22527.79
>>> 61 2020782 1 2 3130320 0.00 139 0
>>> 88110 22520.29 0.00 22520.29
>>> 62 2020613 1 3 3356494 0.00 150 0
>>> 82350 22376.63 0.00 22376.63
>>> 63 2020769 1 2 2636396 0.00 118 0
>>> 86958 22342.34 0.00 22342.34
>>> 64 2020586 1 3 2700166 0.00 122 0
>>> 90774 22132.51 0.00 22132.51
>>> 65 2020693 1 1 3049757 0.00 138 0
>>> 199368 22099.69 0.00 22099.69
>>> 66 2020799 1 2 3818200 0.00 173 0
>>> 120798 22070.52 0.00 22070.52
>>> 67 2006380 1 12 1300862 0.00 59 59
>>> 33912 22048.51 22048.51 0.00
>>> 68 2020786 1 2 3212030 0.00 146 0
>>> 101574 22000.21 0.00 22000.21
>>> 69 2017915 1 2 3046598 0.00 140 0
>>> 117576 21761.41 0.00 21761.41
>>> 70 2018880 1 2 3366284 0.00 155 0
>>> 94104 21717.96 0.00 21717.96
>>> 71 2020765 1 2 2808816 0.00 130 0
>>> 209520 21606.28 0.00 21606.28
>>> 72 2020784 1 2 2741601 0.00 127 0
>>> 95958 21587.41 0.00 21587.41
>>> 73 29189 1 1 1032558 0.00 48 0
>>> 33894 21511.62 0.00 21511.62
>>> 74 2020612 1 3 2967752 0.00 138 0
>>> 89262 21505.45 0.00 21505.45
>>> 75 2020773 1 2 3074056 0.00 144 0
>>> 83952 21347.61 0.00 21347.61
>>> 76 2017263 1 2 127458 0.00 6 0
>>> 23652 21243.00 0.00 21243.00
>>> 77 2018638 1 2 2883696 0.00 136 0
>>> 85752 21203.65 0.00 21203.65
>>> 78 2020766 1 2 2509209 0.00 119 0
>>> 211302 21085.79 0.00 21085.79
>>> 79 2018166 1 3 2357794 0.00 112 0
>>> 87714 21051.73 0.00 21051.73
>>> 80 2020795 1 2 2384326 0.00 114 0
>>> 84744 20915.14 0.00 20915.14
>>> 81 2020777 1 2 2078802 0.00 100 0
>>> 78840 20788.02 0.00 20788.02
>>> 82 2002878 1 8 41562 0.00 2 2
>>> 22698 20781.00 20781.00 0.00
>>> 83 2020798 1 2 2462538 0.00 119 0
>>> 81666 20693.60 0.00 20693.60
>>> 84 2021520 1 2 123524 0.00 6 0
>>> 27738 20587.33 0.00 20587.33
>>> 85 2017191 1 3 20466 0.00 1 0
>>> 20466 20466.00 0.00 20466.00
>>> 86 2017707 1 1 3006623 0.00 147 0
>>> 101628 20453.22 0.00 20453.22
>>> 87 2020606 1 4 3149168 0.00 154 0
>>> 199062 20449.14 0.00 20449.14
>>> 88 32986 1 1 81696 0.00 4 0
>>> 30438 20424.00 0.00 20424.00
>>> 89 2020793 1 2 2587716 0.00 127 0
>>> 221544 20375.72 0.00 20375.72
>>> 90 2020783 1 2 2678856 0.00 133 0
>>> 95346 20141.77 0.00 20141.77
>>> 91 2018153 1 4 1965170 0.00 98 0
>>> 81612 20052.76 0.00 20052.76
>>> 92 2020780 1 2 2449289 0.00 123 0
>>> 94428 19912.92 0.00 19912.92
>>> 93 2021065 1 2 2663188 0.00 134 0
>>> 205596 19874.54 0.00 19874.54
>>> 94 2020764 1 2 2873784 0.00 145 0
>>> 80622 19819.20 0.00 19819.20
>>> 95 2020694 1 1 2533778 0.00 128 0
>>> 89424 19795.14 0.00 19795.14
>>> 96 32396 1 2 39582 0.00 2 0
>>> 22158 19791.00 0.00 19791.00
>>> 97 2020770 1 2 2354850 0.00 119 0
>>> 95760 19788.66 0.00 19788.66
>>> 98 2016567 1 6 19674 0.00 1 0
>>> 19674 19674.00 0.00 19674.00
>>> 99 2021381 1 7 1075986 0.00 55 4
>>> 62748 19563.38 59044.50 16466.82
>>> 100 2020691 1 1 2385889 0.00 123 0
>>> 96552 19397.47 0.00 19397.47
>>>
>>>
>>> ############################################################################################################
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona:
>>> http://oisfevents.net
>>
>>
>> Can you please post your suricata.log using pastebin or alike?
>> Please add "-v" to your start line.
>>
>> What is the output of -
>> modinfo pf_ring && cat /proc/net/pf_ring/info
>> ?
>>
>> Thank you
>>
>>
>>
>
Try increasing the value of max-panding-packets.
You dont have it in your yaml - so you need to add it in.
Do you have anything else running on that box? (is it just Suri?)
Thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list