[Oisf-users] Suricata consume more than 50% CPU
David Touzeau
david at articatech.com
Sun Dec 20 17:17:13 UTC 2015
You are right, increase the max-pending value seems decrease the CPU
consumption.
But i have 1 point:
- We are on Sunday and only 5 users using the box.
With 5 users the Suricata service consume about 15% cpu and 650MB of memory.
I'm afraid with 100 users the service will increase it's consumption
dramatically.
So that's why i ask some tuning to MAX decrease the consumption...
Best regards
Le 20/12/2015 17:37, Peter Manev a écrit :
> On Sun, Dec 20, 2015 at 5:30 PM, David Touzeau <david at articatech.com> wrote:
>> Hi
>>
>> I have increased the max-panding-packets to 2048
>> The box is a gateway box that loading Squid Proxy software in transparent
>> mode, Apache, postgreSQL and MySQL for about 100 users.
>> When stopping Suricata service load decrease from 1.7 to 0.3.
> That does not correspond to 52.4% as you previously mention - or this
> is changed after you increased the suggested max-pending value?
>
>> Box is an Intel Core i7 + 8GB memory + 250GB SSD
>>
>> Currently Suricata consume about 9-11% cpu and 650MB of memory
>> It is in on top process that consume memory and CPU
>>
>> root 22397 9.3 6.5 380872 523408 ? Ssl 17:19 0:31
>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>> /var/run/suricata/suricata.pid --pfring -D
>>
>> Is there something that i can tweak to decrease again the consumption
>> (remove some flow scanners ) ?
>>
>> Best regards
>>
>>
>>
>>
>>
>> Le 20/12/2015 16:37, Peter Manev a écrit :
>>> On Sun, Dec 20, 2015 at 4:17 PM, David Touzeau <david at articatech.com>
>>> wrote:
>>>> Thanks Peter, here the requested informations:
>>>>
>>>> PF_RING:
>>>>
>>>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>>> filename: /lib/modules/3.2.0-4-amd64/kernel/net/pf_ring/pf_ring.ko
>>>> alias: net-pf-27
>>>> description: Packet capture acceleration and analysis
>>>> author: ntop.org
>>>> license: GPL
>>>> depends:
>>>> vermagic: 3.2.0-4-amd64 SMP mod_unload modversions
>>>> parm: min_num_slots:Min number of ring slots (uint)
>>>> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
>>>> parm: transparent_mode:(deprecated) (uint)
>>>> parm: enable_debug:Set to 1 to enable PF_RING debug tracing
>>>> into
>>>> the syslog (uint)
>>>> parm: enable_tx_capture:Set to 1 to capture outgoing packets
>>>> (uint)
>>>> parm: enable_frag_coherence:Set to 1 to handle fragments (flow
>>>> coherence) in clusters (uint)
>>>> parm: enable_ip_defrag:Set to 1 to enable IP
>>>> defragmentation(only
>>>> rx traffic is defragmentead) (uint)
>>>> parm: quick_mode:Set to 1 to run at full speed but with upto
>>>> one
>>>> socket per interface (uint)
>>>> PF_RING Version : 6.1.1
>>>> (dev:03645d72194bf671201728c1e947f365883935c7)
>>>> Total rings : 4
>>>>
>>>> Standard (non DNA/ZC) Options
>>>> Ring slots : 65534
>>>> Slot version : 16
>>>> Capture TX : Yes [RX+TX]
>>>> IP Defragment : No
>>>> Socket Mode : Standard
>>>> Total plugins : 0
>>>> Cluster Fragment Queue : 0
>>>> Cluster Fragment Discard : 0
>>>>
>>>>
>>>>
>>>> Here it is the start in verbose:
>>>>
>>>>
>>>> 20/12/2015 -- 16:15:16 - <Notice> - This is Suricata version 2.0.10
>>>> RELEASE
>>>> 20/12/2015 -- 16:15:16 - <Info> - CPUs/cores online: 4
>>>> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
>>>> 'request-body-minimal-inspect-size' set to 33882 and
>>>> 'request-body-inspect-window' set to 4053 after randomization.
>>>> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
>>>> 'response-body-minimal-inspect-size' set to 33695 and
>>>> 'response-body-inspect-window' set to 4218 after randomization.
>>>> 20/12/2015 -- 16:15:16 - <Info> - DNS request flood protection level: 500
>>>> 20/12/2015 -- 16:15:16 - <Info> - DNS per flow memcap (state-memcap):
>>>> 524288
>>>> 20/12/2015 -- 16:15:16 - <Info> - DNS global memcap: 16777216
>>>> 20/12/2015 -- 16:15:16 - <Info> - allocated 3670016 bytes of memory for
>>>> the
>>>> defrag hash... 65536 buckets of size 56
>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 65535 defrag trackers of
>>>> size
>>>> 168
>>>> 20/12/2015 -- 16:15:16 - <Info> - defrag memory usage: 14679896 bytes,
>>>> maximum: 33554432
>>>> 20/12/2015 -- 16:15:16 - <Info> - AutoFP mode using default "Active
>>>> Packets"
>>>> flow load balancer
>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1024 packets. Total memory
>>>> 3573760
>>>> 20/12/2015 -- 16:15:16 - <Info> - allocated 262144 bytes of memory for
>>>> the
>>>> host hash... 4096 buckets of size 64
>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1000 hosts of size 112
>>>> 20/12/2015 -- 16:15:16 - <Info> - host memory usage: 390144 bytes,
>>>> maximum:
>>>> 16777216
>>>> 20/12/2015 -- 16:15:16 - <Info> - allocated 4194304 bytes of memory for
>>>> the
>>>> flow hash... 65536 buckets of size 64
>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 10000 flows of size 280
>>>> 20/12/2015 -- 16:15:16 - <Info> - flow memory usage: 7074304 bytes,
>>>> maximum:
>>>> 67108864
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "prealloc-sessions": 2048 (per
>>>> thread)
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "memcap": 33554432
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "midstream" session pickups:
>>>> disabled
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "async-oneside": disabled
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "checksum-validation": disabled
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream."inline": disabled
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "max-synack-queued": 5
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "memcap": 134217728
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "depth": 1048576
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly
>>>> "toserver-chunk-size":
>>>> 2587
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly
>>>> "toclient-chunk-size":
>>>> 2593
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly.raw: enabled
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 4, prealloc 256
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 16, prealloc 512
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 112, prealloc 512
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 248, prealloc 512
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 512, prealloc 512
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 768, prealloc
>>>> 1024
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 1448, prealloc
>>>> 1024
>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 65535, prealloc
>>>> 128
>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "chunk-prealloc": 250
>>>> 20/12/2015 -- 16:15:16 - <Info> - IP reputation disabled
>>>> 20/12/2015 -- 16:15:16 - <Info> - Registered 106 keyword profiling
>>>> counters.
>>>> 20/12/2015 -- 16:15:16 - <Info> - using magic-file /usr/share/file/magic
>>>> 20/12/2015 -- 16:15:16 - <Info> - Delayed detect disabled
>>>> 20/12/2015 -- 16:15:17 - <Info> - 11 rule files processed. 6557 rules
>>>> successfully loaded, 0 rules failed
>>>> 20/12/2015 -- 16:15:17 - <Info> - 6557 signatures processed. 30 are
>>>> IP-only
>>>> rules, 3222 are inspecting packet payload, 4746 inspect application
>>>> layer, 0
>>>> are decoder event only
>>>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
>>>> stage 1: preprocessing rules... complete
>>>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
>>>> stage 2: building source address list... complete
>>>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping structure,
>>>> stage 3: building destination address lists... complete
>>>> 20/12/2015 -- 16:15:18 - <Info> - Registered 6557 rule profiling
>>>> counters.
>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
>>>> -
>>>> can't suppress sid 2013028, gid 1: unknown rule
>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
>>>> -
>>>> can't suppress sid 2006380, gid 1: unknown rule
>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
>>>> -
>>>> can't suppress sid 2013504, gid 1: unknown rule
>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
>>>> -
>>>> can't suppress sid 2012141, gid 1: unknown rule
>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
>>>> -
>>>> can't suppress sid 2002878, gid 1: unknown rule
>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
>>>> -
>>>> can't suppress sid 2002157, gid 1: unknown rule
>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
>>>> -
>>>> can't suppress sid 2012648, gid 1: unknown rule
>>>> 20/12/2015 -- 16:15:18 - <Info> - Threshold config parsed: 7 rule(s)
>>>> found
>>>> 20/12/2015 -- 16:15:18 - <Info> - Core dump size set to unlimited.
>>>> 20/12/2015 -- 16:15:18 - <Info> - eve-log output device (regular)
>>>> initialized: eve.json
>>>> 20/12/2015 -- 16:15:18 - <Info> - returning output_ctx 0x55f3b70
>>>> 20/12/2015 -- 16:15:18 - <Info> - enabling 'eve-log' module 'alert'
>>>> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth0 from config file
>>>> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth1 from config file
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "management-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "receive-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "decode-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "stream-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "detect-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "verdict-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'high'
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "reject-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'low'
>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>> "output-cpu-set"
>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
>>>> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING
>>>> (iface
>>>> eth0)
>>>> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 0
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 2 for "RxPFReth01" Module
>>>> to
>>>> cpu/core 0, thread id 32120
>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth01) Using PF_RING v.6.1.1,
>>>> interface eth0, cluster-id 99
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 1
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth02" Module
>>>> to
>>>> cpu/core 1, thread id 32154
>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth02) Using PF_RING v.6.1.1,
>>>> interface eth0, cluster-id 99
>>>> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING
>>>> (iface
>>>> eth1)
>>>> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 2
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth11" Module
>>>> to
>>>> cpu/core 2, thread id 32186
>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth11) Using PF_RING v.6.1.1,
>>>> interface eth1, cluster-id 98
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 3
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio -2 for "RxPFReth12" Module
>>>> to
>>>> cpu/core 3, thread id 32214
>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth12) Using PF_RING v.6.1.1,
>>>> interface eth1, cluster-id 98
>>>> 20/12/2015 -- 16:15:18 - <Info> - RunModeIdsPfringWorkers initialised
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "FlowManagerThread"
>>>> thread , thread id 32247
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfWakeupThread"
>>>> thread , thread id 32248
>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfMgmtThread"
>>>> thread , thread id 32250
>>>> 20/12/2015 -- 16:15:18 - <Notice> - all 4 packet processing threads, 3
>>>> management threads initialized, engine started.
>>>>
>>>>
>>>> Le 20/12/2015 16:11, Peter Manev a écrit :
>>>>> On Sun, Dec 20, 2015 at 2:43 PM, David Touzeau <david at articatech.com>
>>>>> wrote:
>>>>>>
>>>>>> Hi, all
>>>>>>
>>>>>> As you can see the main service consume 52.4% on a Intel Core i7 for
>>>>>> about
>>>>>> less than 10MBS bandwidth.
>>>>>>
>>>>>> root 31283 52.4 9.6 455496 773264 ? SNsl 14:16 6:29
>>>>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>>>>> /var/run/suricata/suricata.pid --pfring -D
>>>>>>
>>>>>> root 31283 65.1 9.6 455496 773264 ? SNsl 14:16 12:06
>>>>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>>>>> /var/run/suricata/suricata.pid --pfring -D
>>>>>>
>>>>>> It there any tips to reduce this CPU consumption ?
>>>>>>
>>>>>> Configuration:
>>>>>>
>>>>>>
>>>>>> ####################################################################################
>>>>>> %YAML 1.1
>>>>>> ---
>>>>>>
>>>>>> runmode: workers
>>>>>> host-mode: auto
>>>>>> pid-file: /var/run/suricata.pid
>>>>>> default-log-dir: /var/log/suricata/
>>>>>> unix-command:
>>>>>> enabled: no
>>>>>>
>>>>>> outputs:
>>>>>>
>>>>>>
>>>>>> - fast:
>>>>>> enabled: no
>>>>>> filename: fast.log
>>>>>> append: yes
>>>>>>
>>>>>> - eve-log:
>>>>>> enabled: yes
>>>>>> type: file
>>>>>> filename: eve.json
>>>>>> types:
>>>>>> - alert
>>>>>> #- drop
>>>>>>
>>>>>>
>>>>>> - unified2-alert:
>>>>>> enabled: no
>>>>>> filename: unified2.alert
>>>>>> sensor-id: 0
>>>>>>
>>>>>> xff:
>>>>>> enabled: no
>>>>>> mode: extra-data
>>>>>> header: X-Forwarded-For
>>>>>>
>>>>>> - http-log:
>>>>>> enabled: no
>>>>>> filename: http.log
>>>>>> append: yes
>>>>>>
>>>>>>
>>>>>> - tls-log:
>>>>>> enabled: no
>>>>>> filename: tls.log # File to store TLS logs.
>>>>>> append: yes
>>>>>> certs-log-dir: certs
>>>>>>
>>>>>>
>>>>>> - dns-log:
>>>>>> enabled: no
>>>>>> filename: dns.log
>>>>>> append: yes
>>>>>>
>>>>>> - pcap-info:
>>>>>> enabled: no
>>>>>>
>>>>>> - pcap-log:
>>>>>> enabled: no
>>>>>> filename: log.pcap
>>>>>> limit: 1000mb
>>>>>> max-files: 2000
>>>>>>
>>>>>> mode: normal
>>>>>> use-stream-depth: no
>>>>>>
>>>>>> - alert-debug:
>>>>>> enabled: no
>>>>>> filename: alert-debug.log
>>>>>> append: yes
>>>>>> filetype: regular
>>>>>>
>>>>>> - alert-prelude:
>>>>>> enabled: no
>>>>>> profile: suricata
>>>>>> log-packet-content: no
>>>>>> log-packet-header: yes
>>>>>>
>>>>>> - stats:
>>>>>> enabled: yes
>>>>>> filename: stats.log
>>>>>> interval: 10
>>>>>>
>>>>>> - syslog:
>>>>>> enabled: no
>>>>>> identity: "suricata"
>>>>>> facility: local5
>>>>>>
>>>>>>
>>>>>> - drop:
>>>>>> enabled: no
>>>>>> filename: drop.log
>>>>>> append: yes
>>>>>> filetype: regular
>>>>>>
>>>>>> - file-store:
>>>>>> enabled: no # set to yes to enable
>>>>>> log-dir: files # directory to store the files
>>>>>> force-magic: no # force logging magic on all stored files
>>>>>> force-md5: no # force logging of md5 checksums
>>>>>>
>>>>>> - file-log:
>>>>>> enabled: no
>>>>>> filename: files-json.log
>>>>>> append: yes
>>>>>> filetype: regular
>>>>>> force-magic: yes
>>>>>> force-md5: yes
>>>>>>
>>>>>> magic-file: /usr/share/file/magic
>>>>>>
>>>>>> nfq:
>>>>>>
>>>>>>
>>>>>> nflog:
>>>>>> - group: 2
>>>>>> buffer-size: 18432
>>>>>> - group: default
>>>>>> qthreshold: 1
>>>>>> qtimeout: 100
>>>>>> max-size: 20000
>>>>>>
>>>>>>
>>>>>> af-packet:
>>>>>> - interface: eth1
>>>>>> threads: 1
>>>>>> cluster-id: 99
>>>>>> cluster-type: cluster_flow
>>>>>> defrag: yes
>>>>>> use-mmap: yes
>>>>>>
>>>>>> - interface: eth1
>>>>>> threads: 1
>>>>>> cluster-id: 98
>>>>>> cluster-type: cluster_flow
>>>>>> defrag: yes
>>>>>>
>>>>>> - interface: default
>>>>>>
>>>>>> legacy:
>>>>>> uricontent: enabled
>>>>>>
>>>>>> detect-engine:
>>>>>> - profile: medium
>>>>>> - custom-values:
>>>>>> toclient-src-groups: 2
>>>>>> toclient-dst-groups: 2
>>>>>> toclient-sp-groups: 2
>>>>>> toclient-dp-groups: 3
>>>>>> toserver-src-groups: 2
>>>>>> toserver-dst-groups: 4
>>>>>> toserver-sp-groups: 2
>>>>>> toserver-dp-groups: 25
>>>>>> - sgh-mpm-context: auto
>>>>>> - inspection-recursion-limit: 3000
>>>>>>
>>>>>> threading:
>>>>>> set-cpu-affinity: yes
>>>>>>
>>>>>> cpu-affinity:
>>>>>> - management-cpu-set:
>>>>>> cpu: [ "all" ]
>>>>>>
>>>>>> - receive-cpu-set:
>>>>>> cpu: [ 0 ] # include only these cpus in affinity settings
>>>>>>
>>>>>> - decode-cpu-set:
>>>>>> cpu: [ 0, 1 ]
>>>>>> mode: "balanced"
>>>>>>
>>>>>> - stream-cpu-set:
>>>>>> cpu: [ "0-1" ]
>>>>>>
>>>>>> - detect-cpu-set:
>>>>>> cpu: [ "all" ]
>>>>>> mode: "exclusive"
>>>>>> prio:
>>>>>> low: [ 0 ]
>>>>>> medium: [ "1-2" ]
>>>>>> high: [ 3 ]
>>>>>> default: "medium"
>>>>>>
>>>>>> - verdict-cpu-set:
>>>>>> cpu: [ 0 ]
>>>>>> prio:
>>>>>> default: "high"
>>>>>> - reject-cpu-set:
>>>>>> cpu: [ 0 ]
>>>>>> prio:
>>>>>> default: "low"
>>>>>> - output-cpu-set:
>>>>>> cpu: [ "all" ]
>>>>>> prio:
>>>>>> default: "medium"
>>>>>> #
>>>>>> detect-thread-ratio: 1.5
>>>>>>
>>>>>> # Cuda configuration.
>>>>>> cuda:
>>>>>> mpm:
>>>>>> data-buffer-size-min-limit: 0
>>>>>> data-buffer-size-max-limit: 1500
>>>>>> cudabuffer-buffer-size: 500mb
>>>>>> gpu-transfer-size: 50mb
>>>>>> batching-timeout: 2000
>>>>>> device-id: 0
>>>>>> cuda-streams: 2
>>>>>>
>>>>>> mpm-algo: ac
>>>>>>
>>>>>> pattern-matcher:
>>>>>> - b2gc:
>>>>>> search-algo: B2gSearchBNDMq
>>>>>> hash-size: low
>>>>>> bf-size: medium
>>>>>> - b2gm:
>>>>>> search-algo: B2gSearchBNDMq
>>>>>> hash-size: low
>>>>>> bf-size: medium
>>>>>> - b2g:
>>>>>> search-algo: B2gSearchBNDMq
>>>>>> hash-size: low
>>>>>> bf-size: medium
>>>>>> - b3g:
>>>>>> search-algo: B3gSearchBNDMq
>>>>>> hash-size: low
>>>>>> bf-size: medium
>>>>>> - wumanber:
>>>>>> hash-size: low
>>>>>> bf-size: medium
>>>>>>
>>>>>> # Defrag settings:
>>>>>>
>>>>>> defrag:
>>>>>> memcap: 32mb
>>>>>> hash-size: 65536
>>>>>> trackers: 65535 # number of defragmented flows to follow
>>>>>> max-frags: 65535 # number of fragments to keep (higher than
>>>>>> trackers)
>>>>>> prealloc: yes
>>>>>> timeout: 60
>>>>>>
>>>>>>
>>>>>> flow:
>>>>>> memcap: 64mb
>>>>>> hash-size: 65536
>>>>>> prealloc: 10000
>>>>>> emergency-recovery: 30
>>>>>>
>>>>>> vlan:
>>>>>> use-for-tracking: true
>>>>>>
>>>>>>
>>>>>> flow-timeouts:
>>>>>>
>>>>>> default:
>>>>>> new: 30
>>>>>> established: 300
>>>>>> closed: 0
>>>>>> emergency-new: 10
>>>>>> emergency-established: 100
>>>>>> emergency-closed: 0
>>>>>> tcp:
>>>>>> new: 60
>>>>>> established: 3600
>>>>>> closed: 120
>>>>>> emergency-new: 10
>>>>>> emergency-established: 300
>>>>>> emergency-closed: 20
>>>>>> udp:
>>>>>> new: 30
>>>>>> established: 300
>>>>>> emergency-new: 10
>>>>>> emergency-established: 100
>>>>>> icmp:
>>>>>> new: 30
>>>>>> established: 300
>>>>>> emergency-new: 10
>>>>>> emergency-established: 100
>>>>>>
>>>>>> stream:
>>>>>> memcap: 32mb
>>>>>> checksum-validation: no # reject wrong csums
>>>>>> inline: auto # auto will use inline mode in IPS
>>>>>> mode,
>>>>>> yes
>>>>>> or no set it statically
>>>>>> reassembly:
>>>>>> memcap: 128mb
>>>>>> depth: 1mb # reassemble 1mb into a stream
>>>>>> toserver-chunk-size: 2560
>>>>>> toclient-chunk-size: 2560
>>>>>> randomize-chunk-size: yes
>>>>>>
>>>>>> host:
>>>>>> hash-size: 4096
>>>>>> prealloc: 1000
>>>>>> memcap: 16777216
>>>>>>
>>>>>> logging:
>>>>>>
>>>>>> default-log-level: notice
>>>>>> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
>>>>>> default-output-filter:
>>>>>>
>>>>>> outputs:
>>>>>> - console:
>>>>>> enabled: yes
>>>>>> - file:
>>>>>> enabled: yes
>>>>>> filename: /var/log/suricata.log
>>>>>> - syslog:
>>>>>> enabled: yes
>>>>>> facility: syslog
>>>>>> format: "[%i] <%d> -- "
>>>>>>
>>>>>>
>>>>>> mpipe:
>>>>>>
>>>>>> load-balance: dynamic
>>>>>> iqueue-packets: 2048
>>>>>> inputs:
>>>>>> - interface: xgbe2
>>>>>> - interface: xgbe3
>>>>>> - interface: xgbe4
>>>>>>
>>>>>>
>>>>>> stack:
>>>>>> size128: 0
>>>>>> size256: 9
>>>>>> size512: 0
>>>>>> size1024: 0
>>>>>> size1664: 7
>>>>>> size4096: 0
>>>>>> size10386: 0
>>>>>> size16384: 0
>>>>>>
>>>>>>
>>>>>> pfring:
>>>>>>
>>>>>> - interface: eth0
>>>>>> threads: 2
>>>>>> cluster-id: 99
>>>>>> cluster-type: cluster_flow
>>>>>>
>>>>>> - interface: eth1
>>>>>> threads: 2
>>>>>> cluster-id: 98
>>>>>> cluster-type: cluster_flow
>>>>>>
>>>>>>
>>>>>> default-rule-path: /etc/suricata/rules
>>>>>> rule-files:
>>>>>> - drop.rules
>>>>>> - dshield.rules
>>>>>> - emerging-activex.rules
>>>>>> - emerging-attack_response.rules
>>>>>> - emerging-malware.rules
>>>>>> - emerging-policy.rules
>>>>>> - emerging-scan.rules
>>>>>> - emerging-shellcode.rules
>>>>>> - emerging-trojan.rules
>>>>>> - emerging-web_client.rules
>>>>>> - emerging-worm.rules
>>>>>> - snort.rules
>>>>>>
>>>>>> classification-file: /etc/suricata/classification.config
>>>>>> reference-config-file: /etc/suricata/reference.config
>>>>>>
>>>>>> vars:
>>>>>> address-groups:
>>>>>> HOME_NET: "[192.168.1.0/24,10.10.1.0/24]"
>>>>>> EXTERNAL_NET: "!$HOME_NET"
>>>>>> HTTP_SERVERS: "$HOME_NET"
>>>>>> SMTP_SERVERS: "$HOME_NET"
>>>>>> SQL_SERVERS: "$HOME_NET"
>>>>>> DNS_SERVERS: "$HOME_NET"
>>>>>> TELNET_SERVERS: "$HOME_NET"
>>>>>> AIM_SERVERS: "$EXTERNAL_NET"
>>>>>> DNP3_SERVER: "$HOME_NET"
>>>>>> DNP3_CLIENT: "$HOME_NET"
>>>>>> MODBUS_CLIENT: "$HOME_NET"
>>>>>> MODBUS_SERVER: "$HOME_NET"
>>>>>> ENIP_CLIENT: "$HOME_NET"
>>>>>> ENIP_SERVER: "$HOME_NET"
>>>>>>
>>>>>> port-groups:
>>>>>> HTTP_PORTS: "80"
>>>>>> SHELLCODE_PORTS: "!80"
>>>>>> ORACLE_PORTS: 1521
>>>>>> SSH_PORTS: 22
>>>>>> DNP3_PORTS: 20000
>>>>>> FILE_DATA_PORTS: "[110,143]"
>>>>>>
>>>>>> action-order:
>>>>>> - pass
>>>>>> - drop
>>>>>> - reject
>>>>>> - alert
>>>>>>
>>>>>>
>>>>>> host-os-policy:
>>>>>> windows: [0.0.0.0/0]
>>>>>> bsd: []
>>>>>> bsd-right: []
>>>>>> old-linux: []
>>>>>> linux: [10.0.0.0/8, 192.168.1.100,
>>>>>> "8762:2352:6241:7245:E000:0000:0000:0000"]
>>>>>> old-solaris: []
>>>>>> solaris: ["::1"]
>>>>>> hpux10: []
>>>>>> hpux11: []
>>>>>> irix: []
>>>>>> macos: []
>>>>>> vista: []
>>>>>> windows2k3: []
>>>>>>
>>>>>>
>>>>>> asn1-max-frames: 256
>>>>>>
>>>>>> engine-analysis:
>>>>>> rules-fast-pattern: yes
>>>>>> rules: yes
>>>>>>
>>>>>> pcre:
>>>>>> match-limit: 3500
>>>>>> match-limit-recursion: 1500
>>>>>>
>>>>>> threshold-file: /etc/suricata/threshold.config
>>>>>>
>>>>>> app-layer:
>>>>>> protocols:
>>>>>> tls:
>>>>>> enabled: yes
>>>>>> detection-ports:
>>>>>> dp: 443
>>>>>> dcerpc:
>>>>>> enabled: yes
>>>>>> ftp:
>>>>>> enabled: yes
>>>>>> ssh:
>>>>>> enabled: yes
>>>>>> smtp:
>>>>>> enabled: yes
>>>>>> imap:
>>>>>> enabled: detection-only
>>>>>> msn:
>>>>>> enabled: detection-only
>>>>>> smb:
>>>>>> enabled: yes
>>>>>> detection-ports:
>>>>>> dp: 139
>>>>>> dns:
>>>>>>
>>>>>> tcp:
>>>>>> enabled: yes
>>>>>> detection-ports:
>>>>>> dp: 53
>>>>>> udp:
>>>>>> enabled: yes
>>>>>> detection-ports:
>>>>>> dp: 53
>>>>>> http:
>>>>>> enabled: yes
>>>>>>
>>>>>> libhtp:
>>>>>>
>>>>>> default-config:
>>>>>> personality: IDS
>>>>>> request-body-limit: 3072
>>>>>> response-body-limit: 3072
>>>>>> request-body-minimal-inspect-size: 32kb
>>>>>> request-body-inspect-window: 4kb
>>>>>> response-body-minimal-inspect-size: 32kb
>>>>>> response-body-inspect-window: 4kb
>>>>>> double-decode-path: no
>>>>>> double-decode-query: no
>>>>>>
>>>>>> server-config:
>>>>>>
>>>>>>
>>>>>> profiling:
>>>>>> rules:
>>>>>> enabled: yes
>>>>>> filename: rule_perf.log
>>>>>> append: yes
>>>>>> sort: avgticks
>>>>>> limit: 100
>>>>>>
>>>>>> keywords:
>>>>>> enabled: yes
>>>>>> filename: keyword_perf.log
>>>>>> append: yes
>>>>>>
>>>>>> packets:
>>>>>> enabled: yes
>>>>>> filename: packet_stats.log
>>>>>> append: yes
>>>>>>
>>>>>> csv:
>>>>>> enabled: no
>>>>>> filename: packet_stats.csv
>>>>>>
>>>>>> locks:
>>>>>> enabled: no
>>>>>> filename: lock_stats.log
>>>>>> append: yes
>>>>>> coredump:
>>>>>> max-dump: unlimited
>>>>>>
>>>>>> napatech:
>>>>>> hba: -1
>>>>>> use-all-streams: yes
>>>>>> streams: [1, 2, 3]
>>>>>>
>>>>>>
>>>>>>
>>>>>> ############################################################################################################
>>>>>>
>>>>>> Stats:
>>>>>> Date: 12/20/2015 -- 14:16:48
>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------------
>>>>>> Num Rule Gid Rev Ticks % Checks
>>>>>> Matches
>>>>>> Max Ticks Avg Ticks Avg Match Avg No Match
>>>>>> -------- ------------ -------- -------- ------------ ------
>>>>>> --------
>>>>>> -------- ----------- ----------- ----------- --------------
>>>>>> 1 2021621 1 6 2472462 0.00 6
>>>>>> 0
>>>>>> 626418 412077.00 0.00 412077.00
>>>>>> 2 2021529 1 3 2690096101 0.55 9463
>>>>>> 0
>>>>>> 4390290 284275.19 0.00 284275.19
>>>>>> 3 2018005 1 6 1262809391 0.26 10390 0
>>>>>> 14480148 121540.85 0.00 121540.85
>>>>>> 4 2021993 1 2 3446612 0.00 34
>>>>>> 0
>>>>>> 158850 101370.94 0.00 101370.94
>>>>>> 5 2018637 1 2 12935952 0.00 129
>>>>>> 0
>>>>>> 9942498 100278.70 0.00 100278.70
>>>>>> 6 24787 1 3 9454741704 1.93 124029
>>>>>> 124014
>>>>>> 74818640 76230.09 0.00 630316113.60
>>>>>> 7 2021276 1 3 75600 0.00 1
>>>>>> 0
>>>>>> 75600 75600.00 0.00 75600.00
>>>>>> 8 25043 1 2 78320311 0.02 1043
>>>>>> 0
>>>>>> 7832052 75091.38 0.00 75091.38
>>>>>> 9 2018457 1 1 789052728 0.16 10603
>>>>>> 0
>>>>>> 9742392 74417.87 0.00 74417.87
>>>>>> 10 2022078 1 2 5036420 0.00 74
>>>>>> 0
>>>>>> 125892 68059.73 0.00 68059.73
>>>>>> 11 32413 1 2 10957828 0.00 199
>>>>>> 0
>>>>>> 391374 55064.46 0.00 55064.46
>>>>>> 12 2018604 1 5 319594 0.00 6
>>>>>> 0
>>>>>> 262260 53265.67 0.00 53265.67
>>>>>> 13 31371 1 6 188502 0.00 4
>>>>>> 0
>>>>>> 76356 47125.50 0.00 47125.50
>>>>>> 14 16425 1 17 1408770 0.00 30
>>>>>> 30
>>>>>> 56286 46959.00 46959.00 0.00
>>>>>> 15 2014376 1 3 229054 0.00 5
>>>>>> 0
>>>>>> 63810 45810.80 0.00 45810.80
>>>>>> 16 17733 1 12 3675860 0.00 86
>>>>>> 52
>>>>>> 74808 42742.56 49390.81 32574.65
>>>>>> 17 2012970 1 2 2264024 0.00 56
>>>>>> 0
>>>>>> 89748 40429.00 0.00 40429.00
>>>>>> 18 24791 1 3 4794438838 0.98 124030
>>>>>> 124016
>>>>>> 101016232 38655.48 0.00 342459917.00
>>>>>> 19 2012969 1 2 2750828 0.00 73
>>>>>> 0
>>>>>> 239544 37682.58 0.00 37682.58
>>>>>> 20 32412 1 2 14092239 0.00 374
>>>>>> 0
>>>>>> 151416 37679.78 0.00 37679.78
>>>>>> 21 23224 1 6 37494 0.00 1
>>>>>> 0
>>>>>> 37494 37494.00 0.00 37494.00
>>>>>> 22 32387 1 1 70722 0.00 2
>>>>>> 0
>>>>>> 69318 35361.00 0.00 35361.00
>>>>>> 23 2012981 1 3 70560 0.00 2
>>>>>> 0
>>>>>> 37080 35280.00 0.00 35280.00
>>>>>> 24 2017816 1 4 4166644 0.00 120
>>>>>> 0
>>>>>> 112896 34722.03 0.00 34722.03
>>>>>> 25 2020781 1 4 5879307 0.00 175
>>>>>> 0
>>>>>> 249606 33596.04 0.00 33596.04
>>>>>> 26 2018403 1 8 997676 0.00 30
>>>>>> 0
>>>>>> 46710 33255.87 0.00 33255.87
>>>>>> 27 30134 1 1 4061564568 0.83 124035
>>>>>> 124026
>>>>>> 28903920 32745.31 0.00 451284952.00
>>>>>> 28 2018264 1 8 641252 0.00 20
>>>>>> 0
>>>>>> 54720 32062.60 0.00 32062.60
>>>>>> 29 17394 1 12 507772 0.00 16
>>>>>> 16
>>>>>> 61560 31735.75 31735.75 0.00
>>>>>> 30 21288 1 8 2745335 0.00 87
>>>>>> 87
>>>>>> 71010 31555.57 31555.57 0.00
>>>>>> 31 2018121 1 4 943150 0.00 30
>>>>>> 0
>>>>>> 56142 31438.33 0.00 31438.33
>>>>>> 32 2014090 1 6 250596 0.00 8
>>>>>> 0
>>>>>> 65628 31324.50 0.00 31324.50
>>>>>> 33 2007650 1 4 45356295 0.01 1455
>>>>>> 0
>>>>>> 4291452 31172.71 0.00 31172.71
>>>>>> 34 31276 1 2 61704 0.00 2
>>>>>> 0
>>>>>> 31356 30852.00 0.00 30852.00
>>>>>> 35 15468 1 13 29292 0.00 1
>>>>>> 0
>>>>>> 29292 29292.00 0.00 29292.00
>>>>>> 36 2018581 1 2 875904 0.00 30
>>>>>> 0
>>>>>> 178812 29196.80 0.00 29196.80
>>>>>> 37 2020791 1 2 4920368 0.00 175
>>>>>> 0
>>>>>> 225954 28116.39 0.00 28116.39
>>>>>> 38 2016029 1 3 824358 0.00 30
>>>>>> 0
>>>>>> 36360 27478.60 0.00 27478.60
>>>>>> 39 2020029 1 2 327394 0.00 12
>>>>>> 0
>>>>>> 47376 27282.83 0.00 27282.83
>>>>>> 40 2012328 1 5 135298 0.00 5
>>>>>> 0
>>>>>> 33120 27059.60 0.00 27059.60
>>>>>> 41 31274 1 1 1687170 0.00 63
>>>>>> 0
>>>>>> 155286 26780.48 0.00 26780.48
>>>>>> 42 2019083 1 2 3530338 0.00 133
>>>>>> 0
>>>>>> 97164 26543.89 0.00 26543.89
>>>>>> 43 31279 1 1 52524 0.00 2
>>>>>> 0
>>>>>> 26460 26262.00 0.00 26262.00
>>>>>> 44 2014634 1 1 1757602 0.00 68
>>>>>> 0
>>>>>> 39690 25847.09 0.00 25847.09
>>>>>> 45 2018295 1 3 900796 0.00 36
>>>>>> 0
>>>>>> 52560 25022.11 0.00 25022.11
>>>>>> 46 2021245 1 4 747988 0.00 30
>>>>>> 0
>>>>>> 36090 24932.93 0.00 24932.93
>>>>>> 47 24651 1 4 49284 0.00 2
>>>>>> 0
>>>>>> 24804 24642.00 0.00 24642.00
>>>>>> 48 2020763 1 2 3023974 0.00 123
>>>>>> 0
>>>>>> 167220 24585.15 0.00 24585.15
>>>>>> 49 2020800 1 2 3333830 0.00 136
>>>>>> 0
>>>>>> 87246 24513.46 0.00 24513.46
>>>>>> 50 2020614 1 2 3913592 0.00 160
>>>>>> 0
>>>>>> 83772 24459.95 0.00 24459.95
>>>>>> 51 2020609 1 4 3111426 0.00 130
>>>>>> 0
>>>>>> 89442 23934.05 0.00 23934.05
>>>>>> 52 2019141 1 3 568974 0.00 24
>>>>>> 0
>>>>>> 28422 23707.25 0.00 23707.25
>>>>>> 53 2019602 1 1 3171882 0.00 134
>>>>>> 0
>>>>>> 240822 23670.76 0.00 23670.76
>>>>>> 54 2003287 1 6 466520 0.00 20
>>>>>> 0
>>>>>> 285516 23326.00 0.00 23326.00
>>>>>> 55 2016922 1 10 3230312 0.00 139
>>>>>> 0
>>>>>> 91782 23239.65 0.00 23239.65
>>>>>> 56 2020611 1 3 4594070 0.00 198
>>>>>> 0
>>>>>> 79056 23202.37 0.00 23202.37
>>>>>> 57 17380 1 15 991624 0.00 43
>>>>>> 43
>>>>>> 59292 23061.02 23061.02 0.00
>>>>>> 58 2020960 1 2 685418 0.00 30
>>>>>> 0
>>>>>> 30708 22847.27 0.00 22847.27
>>>>>> 59 2018057 1 3 3583156 0.00 159
>>>>>> 0
>>>>>> 96030 22535.57 0.00 22535.57
>>>>>> 60 2008782 1 5 2748390 0.00 122
>>>>>> 0
>>>>>> 69048 22527.79 0.00 22527.79
>>>>>> 61 2020782 1 2 3130320 0.00 139
>>>>>> 0
>>>>>> 88110 22520.29 0.00 22520.29
>>>>>> 62 2020613 1 3 3356494 0.00 150
>>>>>> 0
>>>>>> 82350 22376.63 0.00 22376.63
>>>>>> 63 2020769 1 2 2636396 0.00 118
>>>>>> 0
>>>>>> 86958 22342.34 0.00 22342.34
>>>>>> 64 2020586 1 3 2700166 0.00 122
>>>>>> 0
>>>>>> 90774 22132.51 0.00 22132.51
>>>>>> 65 2020693 1 1 3049757 0.00 138
>>>>>> 0
>>>>>> 199368 22099.69 0.00 22099.69
>>>>>> 66 2020799 1 2 3818200 0.00 173
>>>>>> 0
>>>>>> 120798 22070.52 0.00 22070.52
>>>>>> 67 2006380 1 12 1300862 0.00 59
>>>>>> 59
>>>>>> 33912 22048.51 22048.51 0.00
>>>>>> 68 2020786 1 2 3212030 0.00 146
>>>>>> 0
>>>>>> 101574 22000.21 0.00 22000.21
>>>>>> 69 2017915 1 2 3046598 0.00 140
>>>>>> 0
>>>>>> 117576 21761.41 0.00 21761.41
>>>>>> 70 2018880 1 2 3366284 0.00 155
>>>>>> 0
>>>>>> 94104 21717.96 0.00 21717.96
>>>>>> 71 2020765 1 2 2808816 0.00 130
>>>>>> 0
>>>>>> 209520 21606.28 0.00 21606.28
>>>>>> 72 2020784 1 2 2741601 0.00 127
>>>>>> 0
>>>>>> 95958 21587.41 0.00 21587.41
>>>>>> 73 29189 1 1 1032558 0.00 48
>>>>>> 0
>>>>>> 33894 21511.62 0.00 21511.62
>>>>>> 74 2020612 1 3 2967752 0.00 138
>>>>>> 0
>>>>>> 89262 21505.45 0.00 21505.45
>>>>>> 75 2020773 1 2 3074056 0.00 144
>>>>>> 0
>>>>>> 83952 21347.61 0.00 21347.61
>>>>>> 76 2017263 1 2 127458 0.00 6
>>>>>> 0
>>>>>> 23652 21243.00 0.00 21243.00
>>>>>> 77 2018638 1 2 2883696 0.00 136
>>>>>> 0
>>>>>> 85752 21203.65 0.00 21203.65
>>>>>> 78 2020766 1 2 2509209 0.00 119
>>>>>> 0
>>>>>> 211302 21085.79 0.00 21085.79
>>>>>> 79 2018166 1 3 2357794 0.00 112
>>>>>> 0
>>>>>> 87714 21051.73 0.00 21051.73
>>>>>> 80 2020795 1 2 2384326 0.00 114
>>>>>> 0
>>>>>> 84744 20915.14 0.00 20915.14
>>>>>> 81 2020777 1 2 2078802 0.00 100
>>>>>> 0
>>>>>> 78840 20788.02 0.00 20788.02
>>>>>> 82 2002878 1 8 41562 0.00 2
>>>>>> 2
>>>>>> 22698 20781.00 20781.00 0.00
>>>>>> 83 2020798 1 2 2462538 0.00 119
>>>>>> 0
>>>>>> 81666 20693.60 0.00 20693.60
>>>>>> 84 2021520 1 2 123524 0.00 6
>>>>>> 0
>>>>>> 27738 20587.33 0.00 20587.33
>>>>>> 85 2017191 1 3 20466 0.00 1
>>>>>> 0
>>>>>> 20466 20466.00 0.00 20466.00
>>>>>> 86 2017707 1 1 3006623 0.00 147
>>>>>> 0
>>>>>> 101628 20453.22 0.00 20453.22
>>>>>> 87 2020606 1 4 3149168 0.00 154
>>>>>> 0
>>>>>> 199062 20449.14 0.00 20449.14
>>>>>> 88 32986 1 1 81696 0.00 4
>>>>>> 0
>>>>>> 30438 20424.00 0.00 20424.00
>>>>>> 89 2020793 1 2 2587716 0.00 127
>>>>>> 0
>>>>>> 221544 20375.72 0.00 20375.72
>>>>>> 90 2020783 1 2 2678856 0.00 133
>>>>>> 0
>>>>>> 95346 20141.77 0.00 20141.77
>>>>>> 91 2018153 1 4 1965170 0.00 98
>>>>>> 0
>>>>>> 81612 20052.76 0.00 20052.76
>>>>>> 92 2020780 1 2 2449289 0.00 123
>>>>>> 0
>>>>>> 94428 19912.92 0.00 19912.92
>>>>>> 93 2021065 1 2 2663188 0.00 134
>>>>>> 0
>>>>>> 205596 19874.54 0.00 19874.54
>>>>>> 94 2020764 1 2 2873784 0.00 145
>>>>>> 0
>>>>>> 80622 19819.20 0.00 19819.20
>>>>>> 95 2020694 1 1 2533778 0.00 128
>>>>>> 0
>>>>>> 89424 19795.14 0.00 19795.14
>>>>>> 96 32396 1 2 39582 0.00 2
>>>>>> 0
>>>>>> 22158 19791.00 0.00 19791.00
>>>>>> 97 2020770 1 2 2354850 0.00 119
>>>>>> 0
>>>>>> 95760 19788.66 0.00 19788.66
>>>>>> 98 2016567 1 6 19674 0.00 1
>>>>>> 0
>>>>>> 19674 19674.00 0.00 19674.00
>>>>>> 99 2021381 1 7 1075986 0.00 55
>>>>>> 4
>>>>>> 62748 19563.38 59044.50 16466.82
>>>>>> 100 2020691 1 1 2385889 0.00 123
>>>>>> 0
>>>>>> 96552 19397.47 0.00 19397.47
>>>>>>
>>>>>>
>>>>>>
>>>>>> ############################################################################################################
>>>>>> _______________________________________________
>>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Support:
>>>>>> http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>> Suricata User Conference November 4 & 5 in Barcelona:
>>>>>> http://oisfevents.net
>>>>>
>>>>> Can you please post your suricata.log using pastebin or alike?
>>>>> Please add "-v" to your start line.
>>>>>
>>>>> What is the output of -
>>>>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>>>> ?
>>>>>
>>>>> Thank you
>>>>>
>>>>>
>>>>>
>>> Try increasing the value of max-panding-packets.
>>> You dont have it in your yaml - so you need to add it in.
>>>
>>> Do you have anything else running on that box? (is it just Suri?)
>>>
>>> Thanks
>>>
>
>
More information about the Oisf-users
mailing list