[Oisf-users] Suricata consume more than 50% CPU
David Touzeau
david at articatech.com
Sun Dec 20 16:30:48 UTC 2015
Hi
I have increased the max-panding-packets to 2048
The box is a gateway box that loading Squid Proxy software in
transparent mode, Apache, postgreSQL and MySQL for about 100 users.
When stopping Suricata service load decrease from 1.7 to 0.3.
Box is an Intel Core i7 + 8GB memory + 250GB SSD
Currently Suricata consume about 9-11% cpu and 650MB of memory
It is in on top process that consume memory and CPU
root 22397 9.3 6.5 380872 523408 ? Ssl 17:19 0:31
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
/var/run/suricata/suricata.pid --pfring -D
Is there something that i can tweak to decrease again the consumption
(remove some flow scanners ) ?
Best regards
Le 20/12/2015 16:37, Peter Manev a écrit :
> On Sun, Dec 20, 2015 at 4:17 PM, David Touzeau <david at articatech.com> wrote:
>> Thanks Peter, here the requested informations:
>>
>> PF_RING:
>>
>> modinfo pf_ring && cat /proc/net/pf_ring/info
>> filename: /lib/modules/3.2.0-4-amd64/kernel/net/pf_ring/pf_ring.ko
>> alias: net-pf-27
>> description: Packet capture acceleration and analysis
>> author: ntop.org
>> license: GPL
>> depends:
>> vermagic: 3.2.0-4-amd64 SMP mod_unload modversions
>> parm: min_num_slots:Min number of ring slots (uint)
>> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
>> parm: transparent_mode:(deprecated) (uint)
>> parm: enable_debug:Set to 1 to enable PF_RING debug tracing into
>> the syslog (uint)
>> parm: enable_tx_capture:Set to 1 to capture outgoing packets
>> (uint)
>> parm: enable_frag_coherence:Set to 1 to handle fragments (flow
>> coherence) in clusters (uint)
>> parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only
>> rx traffic is defragmentead) (uint)
>> parm: quick_mode:Set to 1 to run at full speed but with upto one
>> socket per interface (uint)
>> PF_RING Version : 6.1.1
>> (dev:03645d72194bf671201728c1e947f365883935c7)
>> Total rings : 4
>>
>> Standard (non DNA/ZC) Options
>> Ring slots : 65534
>> Slot version : 16
>> Capture TX : Yes [RX+TX]
>> IP Defragment : No
>> Socket Mode : Standard
>> Total plugins : 0
>> Cluster Fragment Queue : 0
>> Cluster Fragment Discard : 0
>>
>>
>>
>> Here it is the start in verbose:
>>
>>
>> 20/12/2015 -- 16:15:16 - <Notice> - This is Suricata version 2.0.10 RELEASE
>> 20/12/2015 -- 16:15:16 - <Info> - CPUs/cores online: 4
>> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
>> 'request-body-minimal-inspect-size' set to 33882 and
>> 'request-body-inspect-window' set to 4053 after randomization.
>> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
>> 'response-body-minimal-inspect-size' set to 33695 and
>> 'response-body-inspect-window' set to 4218 after randomization.
>> 20/12/2015 -- 16:15:16 - <Info> - DNS request flood protection level: 500
>> 20/12/2015 -- 16:15:16 - <Info> - DNS per flow memcap (state-memcap): 524288
>> 20/12/2015 -- 16:15:16 - <Info> - DNS global memcap: 16777216
>> 20/12/2015 -- 16:15:16 - <Info> - allocated 3670016 bytes of memory for the
>> defrag hash... 65536 buckets of size 56
>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 65535 defrag trackers of size
>> 168
>> 20/12/2015 -- 16:15:16 - <Info> - defrag memory usage: 14679896 bytes,
>> maximum: 33554432
>> 20/12/2015 -- 16:15:16 - <Info> - AutoFP mode using default "Active Packets"
>> flow load balancer
>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1024 packets. Total memory
>> 3573760
>> 20/12/2015 -- 16:15:16 - <Info> - allocated 262144 bytes of memory for the
>> host hash... 4096 buckets of size 64
>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1000 hosts of size 112
>> 20/12/2015 -- 16:15:16 - <Info> - host memory usage: 390144 bytes, maximum:
>> 16777216
>> 20/12/2015 -- 16:15:16 - <Info> - allocated 4194304 bytes of memory for the
>> flow hash... 65536 buckets of size 64
>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 10000 flows of size 280
>> 20/12/2015 -- 16:15:16 - <Info> - flow memory usage: 7074304 bytes, maximum:
>> 67108864
>> 20/12/2015 -- 16:15:16 - <Info> - stream "prealloc-sessions": 2048 (per
>> thread)
>> 20/12/2015 -- 16:15:16 - <Info> - stream "memcap": 33554432
>> 20/12/2015 -- 16:15:16 - <Info> - stream "midstream" session pickups:
>> disabled
>> 20/12/2015 -- 16:15:16 - <Info> - stream "async-oneside": disabled
>> 20/12/2015 -- 16:15:16 - <Info> - stream "checksum-validation": disabled
>> 20/12/2015 -- 16:15:16 - <Info> - stream."inline": disabled
>> 20/12/2015 -- 16:15:16 - <Info> - stream "max-synack-queued": 5
>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "memcap": 134217728
>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "depth": 1048576
>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "toserver-chunk-size":
>> 2587
>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "toclient-chunk-size":
>> 2593
>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly.raw: enabled
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 4, prealloc 256
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 16, prealloc 512
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 112, prealloc 512
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 248, prealloc 512
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 512, prealloc 512
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 768, prealloc 1024
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 1448, prealloc 1024
>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 65535, prealloc 128
>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "chunk-prealloc": 250
>> 20/12/2015 -- 16:15:16 - <Info> - IP reputation disabled
>> 20/12/2015 -- 16:15:16 - <Info> - Registered 106 keyword profiling counters.
>> 20/12/2015 -- 16:15:16 - <Info> - using magic-file /usr/share/file/magic
>> 20/12/2015 -- 16:15:16 - <Info> - Delayed detect disabled
>> 20/12/2015 -- 16:15:17 - <Info> - 11 rule files processed. 6557 rules
>> successfully loaded, 0 rules failed
>> 20/12/2015 -- 16:15:17 - <Info> - 6557 signatures processed. 30 are IP-only
>> rules, 3222 are inspecting packet payload, 4746 inspect application layer, 0
>> are decoder event only
>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
>> stage 1: preprocessing rules... complete
>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
>> stage 2: building source address list... complete
>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
>> stage 3: building destination address lists... complete
>> 20/12/2015 -- 16:15:18 - <Info> - Registered 6557 rule profiling counters.
>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
>> can't suppress sid 2013028, gid 1: unknown rule
>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
>> can't suppress sid 2006380, gid 1: unknown rule
>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
>> can't suppress sid 2013504, gid 1: unknown rule
>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
>> can't suppress sid 2012141, gid 1: unknown rule
>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
>> can't suppress sid 2002878, gid 1: unknown rule
>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
>> can't suppress sid 2002157, gid 1: unknown rule
>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
>> can't suppress sid 2012648, gid 1: unknown rule
>> 20/12/2015 -- 16:15:18 - <Info> - Threshold config parsed: 7 rule(s) found
>> 20/12/2015 -- 16:15:18 - <Info> - Core dump size set to unlimited.
>> 20/12/2015 -- 16:15:18 - <Info> - eve-log output device (regular)
>> initialized: eve.json
>> 20/12/2015 -- 16:15:18 - <Info> - returning output_ctx 0x55f3b70
>> 20/12/2015 -- 16:15:18 - <Info> - enabling 'eve-log' module 'alert'
>> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth0 from config file
>> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth1 from config file
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "management-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "receive-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "decode-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "stream-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "detect-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "verdict-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'high'
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "reject-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'low'
>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>> "output-cpu-set"
>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
>> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING (iface
>> eth0)
>> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 0
>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 2 for "RxPFReth01" Module to
>> cpu/core 0, thread id 32120
>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth01) Using PF_RING v.6.1.1,
>> interface eth0, cluster-id 99
>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 1
>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth02" Module to
>> cpu/core 1, thread id 32154
>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth02) Using PF_RING v.6.1.1,
>> interface eth0, cluster-id 99
>> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING (iface
>> eth1)
>> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 2
>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth11" Module to
>> cpu/core 2, thread id 32186
>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth11) Using PF_RING v.6.1.1,
>> interface eth1, cluster-id 98
>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 3
>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio -2 for "RxPFReth12" Module to
>> cpu/core 3, thread id 32214
>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth12) Using PF_RING v.6.1.1,
>> interface eth1, cluster-id 98
>> 20/12/2015 -- 16:15:18 - <Info> - RunModeIdsPfringWorkers initialised
>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "FlowManagerThread"
>> thread , thread id 32247
>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfWakeupThread"
>> thread , thread id 32248
>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfMgmtThread"
>> thread , thread id 32250
>> 20/12/2015 -- 16:15:18 - <Notice> - all 4 packet processing threads, 3
>> management threads initialized, engine started.
>>
>>
>> Le 20/12/2015 16:11, Peter Manev a écrit :
>>> On Sun, Dec 20, 2015 at 2:43 PM, David Touzeau <david at articatech.com>
>>> wrote:
>>>>
>>>> Hi, all
>>>>
>>>> As you can see the main service consume 52.4% on a Intel Core i7 for
>>>> about
>>>> less than 10MBS bandwidth.
>>>>
>>>> root 31283 52.4 9.6 455496 773264 ? SNsl 14:16 6:29
>>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>>> /var/run/suricata/suricata.pid --pfring -D
>>>>
>>>> root 31283 65.1 9.6 455496 773264 ? SNsl 14:16 12:06
>>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>>> /var/run/suricata/suricata.pid --pfring -D
>>>>
>>>> It there any tips to reduce this CPU consumption ?
>>>>
>>>> Configuration:
>>>>
>>>> ####################################################################################
>>>> %YAML 1.1
>>>> ---
>>>>
>>>> runmode: workers
>>>> host-mode: auto
>>>> pid-file: /var/run/suricata.pid
>>>> default-log-dir: /var/log/suricata/
>>>> unix-command:
>>>> enabled: no
>>>>
>>>> outputs:
>>>>
>>>>
>>>> - fast:
>>>> enabled: no
>>>> filename: fast.log
>>>> append: yes
>>>>
>>>> - eve-log:
>>>> enabled: yes
>>>> type: file
>>>> filename: eve.json
>>>> types:
>>>> - alert
>>>> #- drop
>>>>
>>>>
>>>> - unified2-alert:
>>>> enabled: no
>>>> filename: unified2.alert
>>>> sensor-id: 0
>>>>
>>>> xff:
>>>> enabled: no
>>>> mode: extra-data
>>>> header: X-Forwarded-For
>>>>
>>>> - http-log:
>>>> enabled: no
>>>> filename: http.log
>>>> append: yes
>>>>
>>>>
>>>> - tls-log:
>>>> enabled: no
>>>> filename: tls.log # File to store TLS logs.
>>>> append: yes
>>>> certs-log-dir: certs
>>>>
>>>>
>>>> - dns-log:
>>>> enabled: no
>>>> filename: dns.log
>>>> append: yes
>>>>
>>>> - pcap-info:
>>>> enabled: no
>>>>
>>>> - pcap-log:
>>>> enabled: no
>>>> filename: log.pcap
>>>> limit: 1000mb
>>>> max-files: 2000
>>>>
>>>> mode: normal
>>>> use-stream-depth: no
>>>>
>>>> - alert-debug:
>>>> enabled: no
>>>> filename: alert-debug.log
>>>> append: yes
>>>> filetype: regular
>>>>
>>>> - alert-prelude:
>>>> enabled: no
>>>> profile: suricata
>>>> log-packet-content: no
>>>> log-packet-header: yes
>>>>
>>>> - stats:
>>>> enabled: yes
>>>> filename: stats.log
>>>> interval: 10
>>>>
>>>> - syslog:
>>>> enabled: no
>>>> identity: "suricata"
>>>> facility: local5
>>>>
>>>>
>>>> - drop:
>>>> enabled: no
>>>> filename: drop.log
>>>> append: yes
>>>> filetype: regular
>>>>
>>>> - file-store:
>>>> enabled: no # set to yes to enable
>>>> log-dir: files # directory to store the files
>>>> force-magic: no # force logging magic on all stored files
>>>> force-md5: no # force logging of md5 checksums
>>>>
>>>> - file-log:
>>>> enabled: no
>>>> filename: files-json.log
>>>> append: yes
>>>> filetype: regular
>>>> force-magic: yes
>>>> force-md5: yes
>>>>
>>>> magic-file: /usr/share/file/magic
>>>>
>>>> nfq:
>>>>
>>>>
>>>> nflog:
>>>> - group: 2
>>>> buffer-size: 18432
>>>> - group: default
>>>> qthreshold: 1
>>>> qtimeout: 100
>>>> max-size: 20000
>>>>
>>>>
>>>> af-packet:
>>>> - interface: eth1
>>>> threads: 1
>>>> cluster-id: 99
>>>> cluster-type: cluster_flow
>>>> defrag: yes
>>>> use-mmap: yes
>>>>
>>>> - interface: eth1
>>>> threads: 1
>>>> cluster-id: 98
>>>> cluster-type: cluster_flow
>>>> defrag: yes
>>>>
>>>> - interface: default
>>>>
>>>> legacy:
>>>> uricontent: enabled
>>>>
>>>> detect-engine:
>>>> - profile: medium
>>>> - custom-values:
>>>> toclient-src-groups: 2
>>>> toclient-dst-groups: 2
>>>> toclient-sp-groups: 2
>>>> toclient-dp-groups: 3
>>>> toserver-src-groups: 2
>>>> toserver-dst-groups: 4
>>>> toserver-sp-groups: 2
>>>> toserver-dp-groups: 25
>>>> - sgh-mpm-context: auto
>>>> - inspection-recursion-limit: 3000
>>>>
>>>> threading:
>>>> set-cpu-affinity: yes
>>>>
>>>> cpu-affinity:
>>>> - management-cpu-set:
>>>> cpu: [ "all" ]
>>>>
>>>> - receive-cpu-set:
>>>> cpu: [ 0 ] # include only these cpus in affinity settings
>>>>
>>>> - decode-cpu-set:
>>>> cpu: [ 0, 1 ]
>>>> mode: "balanced"
>>>>
>>>> - stream-cpu-set:
>>>> cpu: [ "0-1" ]
>>>>
>>>> - detect-cpu-set:
>>>> cpu: [ "all" ]
>>>> mode: "exclusive"
>>>> prio:
>>>> low: [ 0 ]
>>>> medium: [ "1-2" ]
>>>> high: [ 3 ]
>>>> default: "medium"
>>>>
>>>> - verdict-cpu-set:
>>>> cpu: [ 0 ]
>>>> prio:
>>>> default: "high"
>>>> - reject-cpu-set:
>>>> cpu: [ 0 ]
>>>> prio:
>>>> default: "low"
>>>> - output-cpu-set:
>>>> cpu: [ "all" ]
>>>> prio:
>>>> default: "medium"
>>>> #
>>>> detect-thread-ratio: 1.5
>>>>
>>>> # Cuda configuration.
>>>> cuda:
>>>> mpm:
>>>> data-buffer-size-min-limit: 0
>>>> data-buffer-size-max-limit: 1500
>>>> cudabuffer-buffer-size: 500mb
>>>> gpu-transfer-size: 50mb
>>>> batching-timeout: 2000
>>>> device-id: 0
>>>> cuda-streams: 2
>>>>
>>>> mpm-algo: ac
>>>>
>>>> pattern-matcher:
>>>> - b2gc:
>>>> search-algo: B2gSearchBNDMq
>>>> hash-size: low
>>>> bf-size: medium
>>>> - b2gm:
>>>> search-algo: B2gSearchBNDMq
>>>> hash-size: low
>>>> bf-size: medium
>>>> - b2g:
>>>> search-algo: B2gSearchBNDMq
>>>> hash-size: low
>>>> bf-size: medium
>>>> - b3g:
>>>> search-algo: B3gSearchBNDMq
>>>> hash-size: low
>>>> bf-size: medium
>>>> - wumanber:
>>>> hash-size: low
>>>> bf-size: medium
>>>>
>>>> # Defrag settings:
>>>>
>>>> defrag:
>>>> memcap: 32mb
>>>> hash-size: 65536
>>>> trackers: 65535 # number of defragmented flows to follow
>>>> max-frags: 65535 # number of fragments to keep (higher than trackers)
>>>> prealloc: yes
>>>> timeout: 60
>>>>
>>>>
>>>> flow:
>>>> memcap: 64mb
>>>> hash-size: 65536
>>>> prealloc: 10000
>>>> emergency-recovery: 30
>>>>
>>>> vlan:
>>>> use-for-tracking: true
>>>>
>>>>
>>>> flow-timeouts:
>>>>
>>>> default:
>>>> new: 30
>>>> established: 300
>>>> closed: 0
>>>> emergency-new: 10
>>>> emergency-established: 100
>>>> emergency-closed: 0
>>>> tcp:
>>>> new: 60
>>>> established: 3600
>>>> closed: 120
>>>> emergency-new: 10
>>>> emergency-established: 300
>>>> emergency-closed: 20
>>>> udp:
>>>> new: 30
>>>> established: 300
>>>> emergency-new: 10
>>>> emergency-established: 100
>>>> icmp:
>>>> new: 30
>>>> established: 300
>>>> emergency-new: 10
>>>> emergency-established: 100
>>>>
>>>> stream:
>>>> memcap: 32mb
>>>> checksum-validation: no # reject wrong csums
>>>> inline: auto # auto will use inline mode in IPS mode,
>>>> yes
>>>> or no set it statically
>>>> reassembly:
>>>> memcap: 128mb
>>>> depth: 1mb # reassemble 1mb into a stream
>>>> toserver-chunk-size: 2560
>>>> toclient-chunk-size: 2560
>>>> randomize-chunk-size: yes
>>>>
>>>> host:
>>>> hash-size: 4096
>>>> prealloc: 1000
>>>> memcap: 16777216
>>>>
>>>> logging:
>>>>
>>>> default-log-level: notice
>>>> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
>>>> default-output-filter:
>>>>
>>>> outputs:
>>>> - console:
>>>> enabled: yes
>>>> - file:
>>>> enabled: yes
>>>> filename: /var/log/suricata.log
>>>> - syslog:
>>>> enabled: yes
>>>> facility: syslog
>>>> format: "[%i] <%d> -- "
>>>>
>>>>
>>>> mpipe:
>>>>
>>>> load-balance: dynamic
>>>> iqueue-packets: 2048
>>>> inputs:
>>>> - interface: xgbe2
>>>> - interface: xgbe3
>>>> - interface: xgbe4
>>>>
>>>>
>>>> stack:
>>>> size128: 0
>>>> size256: 9
>>>> size512: 0
>>>> size1024: 0
>>>> size1664: 7
>>>> size4096: 0
>>>> size10386: 0
>>>> size16384: 0
>>>>
>>>>
>>>> pfring:
>>>>
>>>> - interface: eth0
>>>> threads: 2
>>>> cluster-id: 99
>>>> cluster-type: cluster_flow
>>>>
>>>> - interface: eth1
>>>> threads: 2
>>>> cluster-id: 98
>>>> cluster-type: cluster_flow
>>>>
>>>>
>>>> default-rule-path: /etc/suricata/rules
>>>> rule-files:
>>>> - drop.rules
>>>> - dshield.rules
>>>> - emerging-activex.rules
>>>> - emerging-attack_response.rules
>>>> - emerging-malware.rules
>>>> - emerging-policy.rules
>>>> - emerging-scan.rules
>>>> - emerging-shellcode.rules
>>>> - emerging-trojan.rules
>>>> - emerging-web_client.rules
>>>> - emerging-worm.rules
>>>> - snort.rules
>>>>
>>>> classification-file: /etc/suricata/classification.config
>>>> reference-config-file: /etc/suricata/reference.config
>>>>
>>>> vars:
>>>> address-groups:
>>>> HOME_NET: "[192.168.1.0/24,10.10.1.0/24]"
>>>> EXTERNAL_NET: "!$HOME_NET"
>>>> HTTP_SERVERS: "$HOME_NET"
>>>> SMTP_SERVERS: "$HOME_NET"
>>>> SQL_SERVERS: "$HOME_NET"
>>>> DNS_SERVERS: "$HOME_NET"
>>>> TELNET_SERVERS: "$HOME_NET"
>>>> AIM_SERVERS: "$EXTERNAL_NET"
>>>> DNP3_SERVER: "$HOME_NET"
>>>> DNP3_CLIENT: "$HOME_NET"
>>>> MODBUS_CLIENT: "$HOME_NET"
>>>> MODBUS_SERVER: "$HOME_NET"
>>>> ENIP_CLIENT: "$HOME_NET"
>>>> ENIP_SERVER: "$HOME_NET"
>>>>
>>>> port-groups:
>>>> HTTP_PORTS: "80"
>>>> SHELLCODE_PORTS: "!80"
>>>> ORACLE_PORTS: 1521
>>>> SSH_PORTS: 22
>>>> DNP3_PORTS: 20000
>>>> FILE_DATA_PORTS: "[110,143]"
>>>>
>>>> action-order:
>>>> - pass
>>>> - drop
>>>> - reject
>>>> - alert
>>>>
>>>>
>>>> host-os-policy:
>>>> windows: [0.0.0.0/0]
>>>> bsd: []
>>>> bsd-right: []
>>>> old-linux: []
>>>> linux: [10.0.0.0/8, 192.168.1.100,
>>>> "8762:2352:6241:7245:E000:0000:0000:0000"]
>>>> old-solaris: []
>>>> solaris: ["::1"]
>>>> hpux10: []
>>>> hpux11: []
>>>> irix: []
>>>> macos: []
>>>> vista: []
>>>> windows2k3: []
>>>>
>>>>
>>>> asn1-max-frames: 256
>>>>
>>>> engine-analysis:
>>>> rules-fast-pattern: yes
>>>> rules: yes
>>>>
>>>> pcre:
>>>> match-limit: 3500
>>>> match-limit-recursion: 1500
>>>>
>>>> threshold-file: /etc/suricata/threshold.config
>>>>
>>>> app-layer:
>>>> protocols:
>>>> tls:
>>>> enabled: yes
>>>> detection-ports:
>>>> dp: 443
>>>> dcerpc:
>>>> enabled: yes
>>>> ftp:
>>>> enabled: yes
>>>> ssh:
>>>> enabled: yes
>>>> smtp:
>>>> enabled: yes
>>>> imap:
>>>> enabled: detection-only
>>>> msn:
>>>> enabled: detection-only
>>>> smb:
>>>> enabled: yes
>>>> detection-ports:
>>>> dp: 139
>>>> dns:
>>>>
>>>> tcp:
>>>> enabled: yes
>>>> detection-ports:
>>>> dp: 53
>>>> udp:
>>>> enabled: yes
>>>> detection-ports:
>>>> dp: 53
>>>> http:
>>>> enabled: yes
>>>>
>>>> libhtp:
>>>>
>>>> default-config:
>>>> personality: IDS
>>>> request-body-limit: 3072
>>>> response-body-limit: 3072
>>>> request-body-minimal-inspect-size: 32kb
>>>> request-body-inspect-window: 4kb
>>>> response-body-minimal-inspect-size: 32kb
>>>> response-body-inspect-window: 4kb
>>>> double-decode-path: no
>>>> double-decode-query: no
>>>>
>>>> server-config:
>>>>
>>>>
>>>> profiling:
>>>> rules:
>>>> enabled: yes
>>>> filename: rule_perf.log
>>>> append: yes
>>>> sort: avgticks
>>>> limit: 100
>>>>
>>>> keywords:
>>>> enabled: yes
>>>> filename: keyword_perf.log
>>>> append: yes
>>>>
>>>> packets:
>>>> enabled: yes
>>>> filename: packet_stats.log
>>>> append: yes
>>>>
>>>> csv:
>>>> enabled: no
>>>> filename: packet_stats.csv
>>>>
>>>> locks:
>>>> enabled: no
>>>> filename: lock_stats.log
>>>> append: yes
>>>> coredump:
>>>> max-dump: unlimited
>>>>
>>>> napatech:
>>>> hba: -1
>>>> use-all-streams: yes
>>>> streams: [1, 2, 3]
>>>>
>>>>
>>>> ############################################################################################################
>>>>
>>>> Stats:
>>>> Date: 12/20/2015 -- 14:16:48
>>>>
>>>> --------------------------------------------------------------------------
>>>> Num Rule Gid Rev Ticks % Checks
>>>> Matches
>>>> Max Ticks Avg Ticks Avg Match Avg No Match
>>>> -------- ------------ -------- -------- ------------ ------ --------
>>>> -------- ----------- ----------- ----------- --------------
>>>> 1 2021621 1 6 2472462 0.00 6 0
>>>> 626418 412077.00 0.00 412077.00
>>>> 2 2021529 1 3 2690096101 0.55 9463 0
>>>> 4390290 284275.19 0.00 284275.19
>>>> 3 2018005 1 6 1262809391 0.26 10390 0
>>>> 14480148 121540.85 0.00 121540.85
>>>> 4 2021993 1 2 3446612 0.00 34 0
>>>> 158850 101370.94 0.00 101370.94
>>>> 5 2018637 1 2 12935952 0.00 129 0
>>>> 9942498 100278.70 0.00 100278.70
>>>> 6 24787 1 3 9454741704 1.93 124029
>>>> 124014
>>>> 74818640 76230.09 0.00 630316113.60
>>>> 7 2021276 1 3 75600 0.00 1 0
>>>> 75600 75600.00 0.00 75600.00
>>>> 8 25043 1 2 78320311 0.02 1043 0
>>>> 7832052 75091.38 0.00 75091.38
>>>> 9 2018457 1 1 789052728 0.16 10603 0
>>>> 9742392 74417.87 0.00 74417.87
>>>> 10 2022078 1 2 5036420 0.00 74 0
>>>> 125892 68059.73 0.00 68059.73
>>>> 11 32413 1 2 10957828 0.00 199 0
>>>> 391374 55064.46 0.00 55064.46
>>>> 12 2018604 1 5 319594 0.00 6 0
>>>> 262260 53265.67 0.00 53265.67
>>>> 13 31371 1 6 188502 0.00 4 0
>>>> 76356 47125.50 0.00 47125.50
>>>> 14 16425 1 17 1408770 0.00 30 30
>>>> 56286 46959.00 46959.00 0.00
>>>> 15 2014376 1 3 229054 0.00 5 0
>>>> 63810 45810.80 0.00 45810.80
>>>> 16 17733 1 12 3675860 0.00 86 52
>>>> 74808 42742.56 49390.81 32574.65
>>>> 17 2012970 1 2 2264024 0.00 56 0
>>>> 89748 40429.00 0.00 40429.00
>>>> 18 24791 1 3 4794438838 0.98 124030
>>>> 124016
>>>> 101016232 38655.48 0.00 342459917.00
>>>> 19 2012969 1 2 2750828 0.00 73 0
>>>> 239544 37682.58 0.00 37682.58
>>>> 20 32412 1 2 14092239 0.00 374 0
>>>> 151416 37679.78 0.00 37679.78
>>>> 21 23224 1 6 37494 0.00 1 0
>>>> 37494 37494.00 0.00 37494.00
>>>> 22 32387 1 1 70722 0.00 2 0
>>>> 69318 35361.00 0.00 35361.00
>>>> 23 2012981 1 3 70560 0.00 2 0
>>>> 37080 35280.00 0.00 35280.00
>>>> 24 2017816 1 4 4166644 0.00 120 0
>>>> 112896 34722.03 0.00 34722.03
>>>> 25 2020781 1 4 5879307 0.00 175 0
>>>> 249606 33596.04 0.00 33596.04
>>>> 26 2018403 1 8 997676 0.00 30 0
>>>> 46710 33255.87 0.00 33255.87
>>>> 27 30134 1 1 4061564568 0.83 124035
>>>> 124026
>>>> 28903920 32745.31 0.00 451284952.00
>>>> 28 2018264 1 8 641252 0.00 20 0
>>>> 54720 32062.60 0.00 32062.60
>>>> 29 17394 1 12 507772 0.00 16 16
>>>> 61560 31735.75 31735.75 0.00
>>>> 30 21288 1 8 2745335 0.00 87 87
>>>> 71010 31555.57 31555.57 0.00
>>>> 31 2018121 1 4 943150 0.00 30 0
>>>> 56142 31438.33 0.00 31438.33
>>>> 32 2014090 1 6 250596 0.00 8 0
>>>> 65628 31324.50 0.00 31324.50
>>>> 33 2007650 1 4 45356295 0.01 1455 0
>>>> 4291452 31172.71 0.00 31172.71
>>>> 34 31276 1 2 61704 0.00 2 0
>>>> 31356 30852.00 0.00 30852.00
>>>> 35 15468 1 13 29292 0.00 1 0
>>>> 29292 29292.00 0.00 29292.00
>>>> 36 2018581 1 2 875904 0.00 30 0
>>>> 178812 29196.80 0.00 29196.80
>>>> 37 2020791 1 2 4920368 0.00 175 0
>>>> 225954 28116.39 0.00 28116.39
>>>> 38 2016029 1 3 824358 0.00 30 0
>>>> 36360 27478.60 0.00 27478.60
>>>> 39 2020029 1 2 327394 0.00 12 0
>>>> 47376 27282.83 0.00 27282.83
>>>> 40 2012328 1 5 135298 0.00 5 0
>>>> 33120 27059.60 0.00 27059.60
>>>> 41 31274 1 1 1687170 0.00 63 0
>>>> 155286 26780.48 0.00 26780.48
>>>> 42 2019083 1 2 3530338 0.00 133 0
>>>> 97164 26543.89 0.00 26543.89
>>>> 43 31279 1 1 52524 0.00 2 0
>>>> 26460 26262.00 0.00 26262.00
>>>> 44 2014634 1 1 1757602 0.00 68 0
>>>> 39690 25847.09 0.00 25847.09
>>>> 45 2018295 1 3 900796 0.00 36 0
>>>> 52560 25022.11 0.00 25022.11
>>>> 46 2021245 1 4 747988 0.00 30 0
>>>> 36090 24932.93 0.00 24932.93
>>>> 47 24651 1 4 49284 0.00 2 0
>>>> 24804 24642.00 0.00 24642.00
>>>> 48 2020763 1 2 3023974 0.00 123 0
>>>> 167220 24585.15 0.00 24585.15
>>>> 49 2020800 1 2 3333830 0.00 136 0
>>>> 87246 24513.46 0.00 24513.46
>>>> 50 2020614 1 2 3913592 0.00 160 0
>>>> 83772 24459.95 0.00 24459.95
>>>> 51 2020609 1 4 3111426 0.00 130 0
>>>> 89442 23934.05 0.00 23934.05
>>>> 52 2019141 1 3 568974 0.00 24 0
>>>> 28422 23707.25 0.00 23707.25
>>>> 53 2019602 1 1 3171882 0.00 134 0
>>>> 240822 23670.76 0.00 23670.76
>>>> 54 2003287 1 6 466520 0.00 20 0
>>>> 285516 23326.00 0.00 23326.00
>>>> 55 2016922 1 10 3230312 0.00 139 0
>>>> 91782 23239.65 0.00 23239.65
>>>> 56 2020611 1 3 4594070 0.00 198 0
>>>> 79056 23202.37 0.00 23202.37
>>>> 57 17380 1 15 991624 0.00 43 43
>>>> 59292 23061.02 23061.02 0.00
>>>> 58 2020960 1 2 685418 0.00 30 0
>>>> 30708 22847.27 0.00 22847.27
>>>> 59 2018057 1 3 3583156 0.00 159 0
>>>> 96030 22535.57 0.00 22535.57
>>>> 60 2008782 1 5 2748390 0.00 122 0
>>>> 69048 22527.79 0.00 22527.79
>>>> 61 2020782 1 2 3130320 0.00 139 0
>>>> 88110 22520.29 0.00 22520.29
>>>> 62 2020613 1 3 3356494 0.00 150 0
>>>> 82350 22376.63 0.00 22376.63
>>>> 63 2020769 1 2 2636396 0.00 118 0
>>>> 86958 22342.34 0.00 22342.34
>>>> 64 2020586 1 3 2700166 0.00 122 0
>>>> 90774 22132.51 0.00 22132.51
>>>> 65 2020693 1 1 3049757 0.00 138 0
>>>> 199368 22099.69 0.00 22099.69
>>>> 66 2020799 1 2 3818200 0.00 173 0
>>>> 120798 22070.52 0.00 22070.52
>>>> 67 2006380 1 12 1300862 0.00 59 59
>>>> 33912 22048.51 22048.51 0.00
>>>> 68 2020786 1 2 3212030 0.00 146 0
>>>> 101574 22000.21 0.00 22000.21
>>>> 69 2017915 1 2 3046598 0.00 140 0
>>>> 117576 21761.41 0.00 21761.41
>>>> 70 2018880 1 2 3366284 0.00 155 0
>>>> 94104 21717.96 0.00 21717.96
>>>> 71 2020765 1 2 2808816 0.00 130 0
>>>> 209520 21606.28 0.00 21606.28
>>>> 72 2020784 1 2 2741601 0.00 127 0
>>>> 95958 21587.41 0.00 21587.41
>>>> 73 29189 1 1 1032558 0.00 48 0
>>>> 33894 21511.62 0.00 21511.62
>>>> 74 2020612 1 3 2967752 0.00 138 0
>>>> 89262 21505.45 0.00 21505.45
>>>> 75 2020773 1 2 3074056 0.00 144 0
>>>> 83952 21347.61 0.00 21347.61
>>>> 76 2017263 1 2 127458 0.00 6 0
>>>> 23652 21243.00 0.00 21243.00
>>>> 77 2018638 1 2 2883696 0.00 136 0
>>>> 85752 21203.65 0.00 21203.65
>>>> 78 2020766 1 2 2509209 0.00 119 0
>>>> 211302 21085.79 0.00 21085.79
>>>> 79 2018166 1 3 2357794 0.00 112 0
>>>> 87714 21051.73 0.00 21051.73
>>>> 80 2020795 1 2 2384326 0.00 114 0
>>>> 84744 20915.14 0.00 20915.14
>>>> 81 2020777 1 2 2078802 0.00 100 0
>>>> 78840 20788.02 0.00 20788.02
>>>> 82 2002878 1 8 41562 0.00 2 2
>>>> 22698 20781.00 20781.00 0.00
>>>> 83 2020798 1 2 2462538 0.00 119 0
>>>> 81666 20693.60 0.00 20693.60
>>>> 84 2021520 1 2 123524 0.00 6 0
>>>> 27738 20587.33 0.00 20587.33
>>>> 85 2017191 1 3 20466 0.00 1 0
>>>> 20466 20466.00 0.00 20466.00
>>>> 86 2017707 1 1 3006623 0.00 147 0
>>>> 101628 20453.22 0.00 20453.22
>>>> 87 2020606 1 4 3149168 0.00 154 0
>>>> 199062 20449.14 0.00 20449.14
>>>> 88 32986 1 1 81696 0.00 4 0
>>>> 30438 20424.00 0.00 20424.00
>>>> 89 2020793 1 2 2587716 0.00 127 0
>>>> 221544 20375.72 0.00 20375.72
>>>> 90 2020783 1 2 2678856 0.00 133 0
>>>> 95346 20141.77 0.00 20141.77
>>>> 91 2018153 1 4 1965170 0.00 98 0
>>>> 81612 20052.76 0.00 20052.76
>>>> 92 2020780 1 2 2449289 0.00 123 0
>>>> 94428 19912.92 0.00 19912.92
>>>> 93 2021065 1 2 2663188 0.00 134 0
>>>> 205596 19874.54 0.00 19874.54
>>>> 94 2020764 1 2 2873784 0.00 145 0
>>>> 80622 19819.20 0.00 19819.20
>>>> 95 2020694 1 1 2533778 0.00 128 0
>>>> 89424 19795.14 0.00 19795.14
>>>> 96 32396 1 2 39582 0.00 2 0
>>>> 22158 19791.00 0.00 19791.00
>>>> 97 2020770 1 2 2354850 0.00 119 0
>>>> 95760 19788.66 0.00 19788.66
>>>> 98 2016567 1 6 19674 0.00 1 0
>>>> 19674 19674.00 0.00 19674.00
>>>> 99 2021381 1 7 1075986 0.00 55 4
>>>> 62748 19563.38 59044.50 16466.82
>>>> 100 2020691 1 1 2385889 0.00 123 0
>>>> 96552 19397.47 0.00 19397.47
>>>>
>>>>
>>>> ############################################################################################################
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 4 & 5 in Barcelona:
>>>> http://oisfevents.net
>>>
>>> Can you please post your suricata.log using pastebin or alike?
>>> Please add "-v" to your start line.
>>>
>>> What is the output of -
>>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>> ?
>>>
>>> Thank you
>>>
>>>
>>>
>
> Try increasing the value of max-panding-packets.
> You dont have it in your yaml - so you need to add it in.
>
> Do you have anything else running on that box? (is it just Suri?)
>
> Thanks
>
More information about the Oisf-users
mailing list