[Oisf-users] Suricata consume more than 50% CPU
Peter Manev
petermanev at gmail.com
Sun Dec 20 19:05:06 UTC 2015
On Sun, Dec 20, 2015 at 6:17 PM, David Touzeau <david at articatech.com> wrote:
> You are right, increase the max-pending value seems decrease the CPU
> consumption.
>
> But i have 1 point:
>
> - We are on Sunday and only 5 users using the box.
> With 5 users the Suricata service consume about 15% cpu and 650MB of memory.
> I'm afraid with 100 users the service will increase it's consumption
> dramatically.
>
I would suggest bumping it up to - 32768.
Nonetheless - you would need to keep an eye and re-confirm during peak
traffic times.
There would be peak usage from the other applications on that machine
as well affecting performance - so you would need to know what
resources do you have available to use for Suricata and adjust the
config/rules accordingly.
What is your peak traffic?
> So that's why i ask some tuning to MAX decrease the consumption...
>
> Best regards
>
>
>
> Le 20/12/2015 17:37, Peter Manev a écrit :
>>
>> On Sun, Dec 20, 2015 at 5:30 PM, David Touzeau <david at articatech.com>
>> wrote:
>>>
>>> Hi
>>>
>>> I have increased the max-panding-packets to 2048
>>> The box is a gateway box that loading Squid Proxy software in transparent
>>> mode, Apache, postgreSQL and MySQL for about 100 users.
>>> When stopping Suricata service load decrease from 1.7 to 0.3.
>>
>> That does not correspond to 52.4% as you previously mention - or this
>> is changed after you increased the suggested max-pending value?
>>
>>> Box is an Intel Core i7 + 8GB memory + 250GB SSD
>>>
>>> Currently Suricata consume about 9-11% cpu and 650MB of memory
>>> It is in on top process that consume memory and CPU
>>>
>>> root 22397 9.3 6.5 380872 523408 ? Ssl 17:19 0:31
>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>> /var/run/suricata/suricata.pid --pfring -D
>>>
>>> Is there something that i can tweak to decrease again the consumption
>>> (remove some flow scanners ) ?
>>>
>>> Best regards
>>>
>>>
>>>
>>>
>>>
>>> Le 20/12/2015 16:37, Peter Manev a écrit :
>>>>
>>>> On Sun, Dec 20, 2015 at 4:17 PM, David Touzeau <david at articatech.com>
>>>> wrote:
>>>>>
>>>>> Thanks Peter, here the requested informations:
>>>>>
>>>>> PF_RING:
>>>>>
>>>>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>>>> filename: /lib/modules/3.2.0-4-amd64/kernel/net/pf_ring/pf_ring.ko
>>>>> alias: net-pf-27
>>>>> description: Packet capture acceleration and analysis
>>>>> author: ntop.org
>>>>> license: GPL
>>>>> depends:
>>>>> vermagic: 3.2.0-4-amd64 SMP mod_unload modversions
>>>>> parm: min_num_slots:Min number of ring slots (uint)
>>>>> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
>>>>> parm: transparent_mode:(deprecated) (uint)
>>>>> parm: enable_debug:Set to 1 to enable PF_RING debug tracing
>>>>> into
>>>>> the syslog (uint)
>>>>> parm: enable_tx_capture:Set to 1 to capture outgoing packets
>>>>> (uint)
>>>>> parm: enable_frag_coherence:Set to 1 to handle fragments
>>>>> (flow
>>>>> coherence) in clusters (uint)
>>>>> parm: enable_ip_defrag:Set to 1 to enable IP
>>>>> defragmentation(only
>>>>> rx traffic is defragmentead) (uint)
>>>>> parm: quick_mode:Set to 1 to run at full speed but with upto
>>>>> one
>>>>> socket per interface (uint)
>>>>> PF_RING Version : 6.1.1
>>>>> (dev:03645d72194bf671201728c1e947f365883935c7)
>>>>> Total rings : 4
>>>>>
>>>>> Standard (non DNA/ZC) Options
>>>>> Ring slots : 65534
>>>>> Slot version : 16
>>>>> Capture TX : Yes [RX+TX]
>>>>> IP Defragment : No
>>>>> Socket Mode : Standard
>>>>> Total plugins : 0
>>>>> Cluster Fragment Queue : 0
>>>>> Cluster Fragment Discard : 0
>>>>>
>>>>>
>>>>>
>>>>> Here it is the start in verbose:
>>>>>
>>>>>
>>>>> 20/12/2015 -- 16:15:16 - <Notice> - This is Suricata version 2.0.10
>>>>> RELEASE
>>>>> 20/12/2015 -- 16:15:16 - <Info> - CPUs/cores online: 4
>>>>> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
>>>>> 'request-body-minimal-inspect-size' set to 33882 and
>>>>> 'request-body-inspect-window' set to 4053 after randomization.
>>>>> 20/12/2015 -- 16:15:16 - <Info> - 'default' server has
>>>>> 'response-body-minimal-inspect-size' set to 33695 and
>>>>> 'response-body-inspect-window' set to 4218 after randomization.
>>>>> 20/12/2015 -- 16:15:16 - <Info> - DNS request flood protection level:
>>>>> 500
>>>>> 20/12/2015 -- 16:15:16 - <Info> - DNS per flow memcap (state-memcap):
>>>>> 524288
>>>>> 20/12/2015 -- 16:15:16 - <Info> - DNS global memcap: 16777216
>>>>> 20/12/2015 -- 16:15:16 - <Info> - allocated 3670016 bytes of memory for
>>>>> the
>>>>> defrag hash... 65536 buckets of size 56
>>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 65535 defrag trackers of
>>>>> size
>>>>> 168
>>>>> 20/12/2015 -- 16:15:16 - <Info> - defrag memory usage: 14679896 bytes,
>>>>> maximum: 33554432
>>>>> 20/12/2015 -- 16:15:16 - <Info> - AutoFP mode using default "Active
>>>>> Packets"
>>>>> flow load balancer
>>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1024 packets. Total
>>>>> memory
>>>>> 3573760
>>>>> 20/12/2015 -- 16:15:16 - <Info> - allocated 262144 bytes of memory for
>>>>> the
>>>>> host hash... 4096 buckets of size 64
>>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 1000 hosts of size 112
>>>>> 20/12/2015 -- 16:15:16 - <Info> - host memory usage: 390144 bytes,
>>>>> maximum:
>>>>> 16777216
>>>>> 20/12/2015 -- 16:15:16 - <Info> - allocated 4194304 bytes of memory for
>>>>> the
>>>>> flow hash... 65536 buckets of size 64
>>>>> 20/12/2015 -- 16:15:16 - <Info> - preallocated 10000 flows of size 280
>>>>> 20/12/2015 -- 16:15:16 - <Info> - flow memory usage: 7074304 bytes,
>>>>> maximum:
>>>>> 67108864
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "prealloc-sessions": 2048 (per
>>>>> thread)
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "memcap": 33554432
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "midstream" session pickups:
>>>>> disabled
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "async-oneside": disabled
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "checksum-validation":
>>>>> disabled
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream."inline": disabled
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream "max-synack-queued": 5
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "memcap": 134217728
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "depth": 1048576
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly
>>>>> "toserver-chunk-size":
>>>>> 2587
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly
>>>>> "toclient-chunk-size":
>>>>> 2593
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly.raw: enabled
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 4, prealloc 256
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 16, prealloc
>>>>> 512
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 112, prealloc
>>>>> 512
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 248, prealloc
>>>>> 512
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 512, prealloc
>>>>> 512
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 768, prealloc
>>>>> 1024
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 1448, prealloc
>>>>> 1024
>>>>> 20/12/2015 -- 16:15:16 - <Info> - segment pool: pktsize 65535, prealloc
>>>>> 128
>>>>> 20/12/2015 -- 16:15:16 - <Info> - stream.reassembly "chunk-prealloc":
>>>>> 250
>>>>> 20/12/2015 -- 16:15:16 - <Info> - IP reputation disabled
>>>>> 20/12/2015 -- 16:15:16 - <Info> - Registered 106 keyword profiling
>>>>> counters.
>>>>> 20/12/2015 -- 16:15:16 - <Info> - using magic-file
>>>>> /usr/share/file/magic
>>>>> 20/12/2015 -- 16:15:16 - <Info> - Delayed detect disabled
>>>>> 20/12/2015 -- 16:15:17 - <Info> - 11 rule files processed. 6557 rules
>>>>> successfully loaded, 0 rules failed
>>>>> 20/12/2015 -- 16:15:17 - <Info> - 6557 signatures processed. 30 are
>>>>> IP-only
>>>>> rules, 3222 are inspecting packet payload, 4746 inspect application
>>>>> layer, 0
>>>>> are decoder event only
>>>>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping
>>>>> structure,
>>>>> stage 1: preprocessing rules... complete
>>>>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping
>>>>> structure,
>>>>> stage 2: building source address list... complete
>>>>> 20/12/2015 -- 16:15:17 - <Info> - building signature grouping
>>>>> structure,
>>>>> stage 3: building destination address lists... complete
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Registered 6557 rule profiling
>>>>> counters.
>>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE:
>>>>> SC_ERR_EVENT_ENGINE(210)]
>>>>> -
>>>>> can't suppress sid 2013028, gid 1: unknown rule
>>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE:
>>>>> SC_ERR_EVENT_ENGINE(210)]
>>>>> -
>>>>> can't suppress sid 2006380, gid 1: unknown rule
>>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE:
>>>>> SC_ERR_EVENT_ENGINE(210)]
>>>>> -
>>>>> can't suppress sid 2013504, gid 1: unknown rule
>>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE:
>>>>> SC_ERR_EVENT_ENGINE(210)]
>>>>> -
>>>>> can't suppress sid 2012141, gid 1: unknown rule
>>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE:
>>>>> SC_ERR_EVENT_ENGINE(210)]
>>>>> -
>>>>> can't suppress sid 2002878, gid 1: unknown rule
>>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE:
>>>>> SC_ERR_EVENT_ENGINE(210)]
>>>>> -
>>>>> can't suppress sid 2002157, gid 1: unknown rule
>>>>> 20/12/2015 -- 16:15:18 - <Warning> - [ERRCODE:
>>>>> SC_ERR_EVENT_ENGINE(210)]
>>>>> -
>>>>> can't suppress sid 2012648, gid 1: unknown rule
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Threshold config parsed: 7 rule(s)
>>>>> found
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Core dump size set to unlimited.
>>>>> 20/12/2015 -- 16:15:18 - <Info> - eve-log output device (regular)
>>>>> initialized: eve.json
>>>>> 20/12/2015 -- 16:15:18 - <Info> - returning output_ctx 0x55f3b70
>>>>> 20/12/2015 -- 16:15:18 - <Info> - enabling 'eve-log' module 'alert'
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth0 from config
>>>>> file
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Adding interface eth1 from config
>>>>> file
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "management-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "receive-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "decode-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "stream-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "detect-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "verdict-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'high'
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "reject-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'low'
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Found affinity definition for
>>>>> "output-cpu-set"
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Using default prio 'medium'
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING
>>>>> (iface
>>>>> eth0)
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 0
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 2 for "RxPFReth01"
>>>>> Module
>>>>> to
>>>>> cpu/core 0, thread id 32120
>>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth01) Using PF_RING v.6.1.1,
>>>>> interface eth0, cluster-id 99
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 1
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth02"
>>>>> Module
>>>>> to
>>>>> cpu/core 1, thread id 32154
>>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth02) Using PF_RING v.6.1.1,
>>>>> interface eth0, cluster-id 99
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Using flow cluster mode for PF_RING
>>>>> (iface
>>>>> eth1)
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Going to use 2 thread(s)
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 2
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "RxPFReth11"
>>>>> Module
>>>>> to
>>>>> cpu/core 2, thread id 32186
>>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth11) Using PF_RING v.6.1.1,
>>>>> interface eth1, cluster-id 98
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting affinity on CPU 3
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio -2 for "RxPFReth12"
>>>>> Module
>>>>> to
>>>>> cpu/core 3, thread id 32214
>>>>> 20/12/2015 -- 16:15:18 - <Info> - (RxPFReth12) Using PF_RING v.6.1.1,
>>>>> interface eth1, cluster-id 98
>>>>> 20/12/2015 -- 16:15:18 - <Info> - RunModeIdsPfringWorkers initialised
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for
>>>>> "FlowManagerThread"
>>>>> thread , thread id 32247
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for
>>>>> "SCPerfWakeupThread"
>>>>> thread , thread id 32248
>>>>> 20/12/2015 -- 16:15:18 - <Info> - Setting prio 0 for "SCPerfMgmtThread"
>>>>> thread , thread id 32250
>>>>> 20/12/2015 -- 16:15:18 - <Notice> - all 4 packet processing threads, 3
>>>>> management threads initialized, engine started.
>>>>>
>>>>>
>>>>> Le 20/12/2015 16:11, Peter Manev a écrit :
>>>>>>
>>>>>> On Sun, Dec 20, 2015 at 2:43 PM, David Touzeau <david at articatech.com>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hi, all
>>>>>>>
>>>>>>> As you can see the main service consume 52.4% on a Intel Core i7 for
>>>>>>> about
>>>>>>> less than 10MBS bandwidth.
>>>>>>>
>>>>>>> root 31283 52.4 9.6 455496 773264 ? SNsl 14:16 6:29
>>>>>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>>>>>> /var/run/suricata/suricata.pid --pfring -D
>>>>>>>
>>>>>>> root 31283 65.1 9.6 455496 773264 ? SNsl 14:16 12:06
>>>>>>> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile
>>>>>>> /var/run/suricata/suricata.pid --pfring -D
>>>>>>>
>>>>>>> It there any tips to reduce this CPU consumption ?
>>>>>>>
>>>>>>> Configuration:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ####################################################################################
>>>>>>> %YAML 1.1
>>>>>>> ---
>>>>>>>
>>>>>>> runmode: workers
>>>>>>> host-mode: auto
>>>>>>> pid-file: /var/run/suricata.pid
>>>>>>> default-log-dir: /var/log/suricata/
>>>>>>> unix-command:
>>>>>>> enabled: no
>>>>>>>
>>>>>>> outputs:
>>>>>>>
>>>>>>>
>>>>>>> - fast:
>>>>>>> enabled: no
>>>>>>> filename: fast.log
>>>>>>> append: yes
>>>>>>>
>>>>>>> - eve-log:
>>>>>>> enabled: yes
>>>>>>> type: file
>>>>>>> filename: eve.json
>>>>>>> types:
>>>>>>> - alert
>>>>>>> #- drop
>>>>>>>
>>>>>>>
>>>>>>> - unified2-alert:
>>>>>>> enabled: no
>>>>>>> filename: unified2.alert
>>>>>>> sensor-id: 0
>>>>>>>
>>>>>>> xff:
>>>>>>> enabled: no
>>>>>>> mode: extra-data
>>>>>>> header: X-Forwarded-For
>>>>>>>
>>>>>>> - http-log:
>>>>>>> enabled: no
>>>>>>> filename: http.log
>>>>>>> append: yes
>>>>>>>
>>>>>>>
>>>>>>> - tls-log:
>>>>>>> enabled: no
>>>>>>> filename: tls.log # File to store TLS logs.
>>>>>>> append: yes
>>>>>>> certs-log-dir: certs
>>>>>>>
>>>>>>>
>>>>>>> - dns-log:
>>>>>>> enabled: no
>>>>>>> filename: dns.log
>>>>>>> append: yes
>>>>>>>
>>>>>>> - pcap-info:
>>>>>>> enabled: no
>>>>>>>
>>>>>>> - pcap-log:
>>>>>>> enabled: no
>>>>>>> filename: log.pcap
>>>>>>> limit: 1000mb
>>>>>>> max-files: 2000
>>>>>>>
>>>>>>> mode: normal
>>>>>>> use-stream-depth: no
>>>>>>>
>>>>>>> - alert-debug:
>>>>>>> enabled: no
>>>>>>> filename: alert-debug.log
>>>>>>> append: yes
>>>>>>> filetype: regular
>>>>>>>
>>>>>>> - alert-prelude:
>>>>>>> enabled: no
>>>>>>> profile: suricata
>>>>>>> log-packet-content: no
>>>>>>> log-packet-header: yes
>>>>>>>
>>>>>>> - stats:
>>>>>>> enabled: yes
>>>>>>> filename: stats.log
>>>>>>> interval: 10
>>>>>>>
>>>>>>> - syslog:
>>>>>>> enabled: no
>>>>>>> identity: "suricata"
>>>>>>> facility: local5
>>>>>>>
>>>>>>>
>>>>>>> - drop:
>>>>>>> enabled: no
>>>>>>> filename: drop.log
>>>>>>> append: yes
>>>>>>> filetype: regular
>>>>>>>
>>>>>>> - file-store:
>>>>>>> enabled: no # set to yes to enable
>>>>>>> log-dir: files # directory to store the files
>>>>>>> force-magic: no # force logging magic on all stored files
>>>>>>> force-md5: no # force logging of md5 checksums
>>>>>>>
>>>>>>> - file-log:
>>>>>>> enabled: no
>>>>>>> filename: files-json.log
>>>>>>> append: yes
>>>>>>> filetype: regular
>>>>>>> force-magic: yes
>>>>>>> force-md5: yes
>>>>>>>
>>>>>>> magic-file: /usr/share/file/magic
>>>>>>>
>>>>>>> nfq:
>>>>>>>
>>>>>>>
>>>>>>> nflog:
>>>>>>> - group: 2
>>>>>>> buffer-size: 18432
>>>>>>> - group: default
>>>>>>> qthreshold: 1
>>>>>>> qtimeout: 100
>>>>>>> max-size: 20000
>>>>>>>
>>>>>>>
>>>>>>> af-packet:
>>>>>>> - interface: eth1
>>>>>>> threads: 1
>>>>>>> cluster-id: 99
>>>>>>> cluster-type: cluster_flow
>>>>>>> defrag: yes
>>>>>>> use-mmap: yes
>>>>>>>
>>>>>>> - interface: eth1
>>>>>>> threads: 1
>>>>>>> cluster-id: 98
>>>>>>> cluster-type: cluster_flow
>>>>>>> defrag: yes
>>>>>>>
>>>>>>> - interface: default
>>>>>>>
>>>>>>> legacy:
>>>>>>> uricontent: enabled
>>>>>>>
>>>>>>> detect-engine:
>>>>>>> - profile: medium
>>>>>>> - custom-values:
>>>>>>> toclient-src-groups: 2
>>>>>>> toclient-dst-groups: 2
>>>>>>> toclient-sp-groups: 2
>>>>>>> toclient-dp-groups: 3
>>>>>>> toserver-src-groups: 2
>>>>>>> toserver-dst-groups: 4
>>>>>>> toserver-sp-groups: 2
>>>>>>> toserver-dp-groups: 25
>>>>>>> - sgh-mpm-context: auto
>>>>>>> - inspection-recursion-limit: 3000
>>>>>>>
>>>>>>> threading:
>>>>>>> set-cpu-affinity: yes
>>>>>>>
>>>>>>> cpu-affinity:
>>>>>>> - management-cpu-set:
>>>>>>> cpu: [ "all" ]
>>>>>>>
>>>>>>> - receive-cpu-set:
>>>>>>> cpu: [ 0 ] # include only these cpus in affinity settings
>>>>>>>
>>>>>>> - decode-cpu-set:
>>>>>>> cpu: [ 0, 1 ]
>>>>>>> mode: "balanced"
>>>>>>>
>>>>>>> - stream-cpu-set:
>>>>>>> cpu: [ "0-1" ]
>>>>>>>
>>>>>>> - detect-cpu-set:
>>>>>>> cpu: [ "all" ]
>>>>>>> mode: "exclusive"
>>>>>>> prio:
>>>>>>> low: [ 0 ]
>>>>>>> medium: [ "1-2" ]
>>>>>>> high: [ 3 ]
>>>>>>> default: "medium"
>>>>>>>
>>>>>>> - verdict-cpu-set:
>>>>>>> cpu: [ 0 ]
>>>>>>> prio:
>>>>>>> default: "high"
>>>>>>> - reject-cpu-set:
>>>>>>> cpu: [ 0 ]
>>>>>>> prio:
>>>>>>> default: "low"
>>>>>>> - output-cpu-set:
>>>>>>> cpu: [ "all" ]
>>>>>>> prio:
>>>>>>> default: "medium"
>>>>>>> #
>>>>>>> detect-thread-ratio: 1.5
>>>>>>>
>>>>>>> # Cuda configuration.
>>>>>>> cuda:
>>>>>>> mpm:
>>>>>>> data-buffer-size-min-limit: 0
>>>>>>> data-buffer-size-max-limit: 1500
>>>>>>> cudabuffer-buffer-size: 500mb
>>>>>>> gpu-transfer-size: 50mb
>>>>>>> batching-timeout: 2000
>>>>>>> device-id: 0
>>>>>>> cuda-streams: 2
>>>>>>>
>>>>>>> mpm-algo: ac
>>>>>>>
>>>>>>> pattern-matcher:
>>>>>>> - b2gc:
>>>>>>> search-algo: B2gSearchBNDMq
>>>>>>> hash-size: low
>>>>>>> bf-size: medium
>>>>>>> - b2gm:
>>>>>>> search-algo: B2gSearchBNDMq
>>>>>>> hash-size: low
>>>>>>> bf-size: medium
>>>>>>> - b2g:
>>>>>>> search-algo: B2gSearchBNDMq
>>>>>>> hash-size: low
>>>>>>> bf-size: medium
>>>>>>> - b3g:
>>>>>>> search-algo: B3gSearchBNDMq
>>>>>>> hash-size: low
>>>>>>> bf-size: medium
>>>>>>> - wumanber:
>>>>>>> hash-size: low
>>>>>>> bf-size: medium
>>>>>>>
>>>>>>> # Defrag settings:
>>>>>>>
>>>>>>> defrag:
>>>>>>> memcap: 32mb
>>>>>>> hash-size: 65536
>>>>>>> trackers: 65535 # number of defragmented flows to follow
>>>>>>> max-frags: 65535 # number of fragments to keep (higher than
>>>>>>> trackers)
>>>>>>> prealloc: yes
>>>>>>> timeout: 60
>>>>>>>
>>>>>>>
>>>>>>> flow:
>>>>>>> memcap: 64mb
>>>>>>> hash-size: 65536
>>>>>>> prealloc: 10000
>>>>>>> emergency-recovery: 30
>>>>>>>
>>>>>>> vlan:
>>>>>>> use-for-tracking: true
>>>>>>>
>>>>>>>
>>>>>>> flow-timeouts:
>>>>>>>
>>>>>>> default:
>>>>>>> new: 30
>>>>>>> established: 300
>>>>>>> closed: 0
>>>>>>> emergency-new: 10
>>>>>>> emergency-established: 100
>>>>>>> emergency-closed: 0
>>>>>>> tcp:
>>>>>>> new: 60
>>>>>>> established: 3600
>>>>>>> closed: 120
>>>>>>> emergency-new: 10
>>>>>>> emergency-established: 300
>>>>>>> emergency-closed: 20
>>>>>>> udp:
>>>>>>> new: 30
>>>>>>> established: 300
>>>>>>> emergency-new: 10
>>>>>>> emergency-established: 100
>>>>>>> icmp:
>>>>>>> new: 30
>>>>>>> established: 300
>>>>>>> emergency-new: 10
>>>>>>> emergency-established: 100
>>>>>>>
>>>>>>> stream:
>>>>>>> memcap: 32mb
>>>>>>> checksum-validation: no # reject wrong csums
>>>>>>> inline: auto # auto will use inline mode in IPS
>>>>>>> mode,
>>>>>>> yes
>>>>>>> or no set it statically
>>>>>>> reassembly:
>>>>>>> memcap: 128mb
>>>>>>> depth: 1mb # reassemble 1mb into a stream
>>>>>>> toserver-chunk-size: 2560
>>>>>>> toclient-chunk-size: 2560
>>>>>>> randomize-chunk-size: yes
>>>>>>>
>>>>>>> host:
>>>>>>> hash-size: 4096
>>>>>>> prealloc: 1000
>>>>>>> memcap: 16777216
>>>>>>>
>>>>>>> logging:
>>>>>>>
>>>>>>> default-log-level: notice
>>>>>>> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
>>>>>>> default-output-filter:
>>>>>>>
>>>>>>> outputs:
>>>>>>> - console:
>>>>>>> enabled: yes
>>>>>>> - file:
>>>>>>> enabled: yes
>>>>>>> filename: /var/log/suricata.log
>>>>>>> - syslog:
>>>>>>> enabled: yes
>>>>>>> facility: syslog
>>>>>>> format: "[%i] <%d> -- "
>>>>>>>
>>>>>>>
>>>>>>> mpipe:
>>>>>>>
>>>>>>> load-balance: dynamic
>>>>>>> iqueue-packets: 2048
>>>>>>> inputs:
>>>>>>> - interface: xgbe2
>>>>>>> - interface: xgbe3
>>>>>>> - interface: xgbe4
>>>>>>>
>>>>>>>
>>>>>>> stack:
>>>>>>> size128: 0
>>>>>>> size256: 9
>>>>>>> size512: 0
>>>>>>> size1024: 0
>>>>>>> size1664: 7
>>>>>>> size4096: 0
>>>>>>> size10386: 0
>>>>>>> size16384: 0
>>>>>>>
>>>>>>>
>>>>>>> pfring:
>>>>>>>
>>>>>>> - interface: eth0
>>>>>>> threads: 2
>>>>>>> cluster-id: 99
>>>>>>> cluster-type: cluster_flow
>>>>>>>
>>>>>>> - interface: eth1
>>>>>>> threads: 2
>>>>>>> cluster-id: 98
>>>>>>> cluster-type: cluster_flow
>>>>>>>
>>>>>>>
>>>>>>> default-rule-path: /etc/suricata/rules
>>>>>>> rule-files:
>>>>>>> - drop.rules
>>>>>>> - dshield.rules
>>>>>>> - emerging-activex.rules
>>>>>>> - emerging-attack_response.rules
>>>>>>> - emerging-malware.rules
>>>>>>> - emerging-policy.rules
>>>>>>> - emerging-scan.rules
>>>>>>> - emerging-shellcode.rules
>>>>>>> - emerging-trojan.rules
>>>>>>> - emerging-web_client.rules
>>>>>>> - emerging-worm.rules
>>>>>>> - snort.rules
>>>>>>>
>>>>>>> classification-file: /etc/suricata/classification.config
>>>>>>> reference-config-file: /etc/suricata/reference.config
>>>>>>>
>>>>>>> vars:
>>>>>>> address-groups:
>>>>>>> HOME_NET: "[192.168.1.0/24,10.10.1.0/24]"
>>>>>>> EXTERNAL_NET: "!$HOME_NET"
>>>>>>> HTTP_SERVERS: "$HOME_NET"
>>>>>>> SMTP_SERVERS: "$HOME_NET"
>>>>>>> SQL_SERVERS: "$HOME_NET"
>>>>>>> DNS_SERVERS: "$HOME_NET"
>>>>>>> TELNET_SERVERS: "$HOME_NET"
>>>>>>> AIM_SERVERS: "$EXTERNAL_NET"
>>>>>>> DNP3_SERVER: "$HOME_NET"
>>>>>>> DNP3_CLIENT: "$HOME_NET"
>>>>>>> MODBUS_CLIENT: "$HOME_NET"
>>>>>>> MODBUS_SERVER: "$HOME_NET"
>>>>>>> ENIP_CLIENT: "$HOME_NET"
>>>>>>> ENIP_SERVER: "$HOME_NET"
>>>>>>>
>>>>>>> port-groups:
>>>>>>> HTTP_PORTS: "80"
>>>>>>> SHELLCODE_PORTS: "!80"
>>>>>>> ORACLE_PORTS: 1521
>>>>>>> SSH_PORTS: 22
>>>>>>> DNP3_PORTS: 20000
>>>>>>> FILE_DATA_PORTS: "[110,143]"
>>>>>>>
>>>>>>> action-order:
>>>>>>> - pass
>>>>>>> - drop
>>>>>>> - reject
>>>>>>> - alert
>>>>>>>
>>>>>>>
>>>>>>> host-os-policy:
>>>>>>> windows: [0.0.0.0/0]
>>>>>>> bsd: []
>>>>>>> bsd-right: []
>>>>>>> old-linux: []
>>>>>>> linux: [10.0.0.0/8, 192.168.1.100,
>>>>>>> "8762:2352:6241:7245:E000:0000:0000:0000"]
>>>>>>> old-solaris: []
>>>>>>> solaris: ["::1"]
>>>>>>> hpux10: []
>>>>>>> hpux11: []
>>>>>>> irix: []
>>>>>>> macos: []
>>>>>>> vista: []
>>>>>>> windows2k3: []
>>>>>>>
>>>>>>>
>>>>>>> asn1-max-frames: 256
>>>>>>>
>>>>>>> engine-analysis:
>>>>>>> rules-fast-pattern: yes
>>>>>>> rules: yes
>>>>>>>
>>>>>>> pcre:
>>>>>>> match-limit: 3500
>>>>>>> match-limit-recursion: 1500
>>>>>>>
>>>>>>> threshold-file: /etc/suricata/threshold.config
>>>>>>>
>>>>>>> app-layer:
>>>>>>> protocols:
>>>>>>> tls:
>>>>>>> enabled: yes
>>>>>>> detection-ports:
>>>>>>> dp: 443
>>>>>>> dcerpc:
>>>>>>> enabled: yes
>>>>>>> ftp:
>>>>>>> enabled: yes
>>>>>>> ssh:
>>>>>>> enabled: yes
>>>>>>> smtp:
>>>>>>> enabled: yes
>>>>>>> imap:
>>>>>>> enabled: detection-only
>>>>>>> msn:
>>>>>>> enabled: detection-only
>>>>>>> smb:
>>>>>>> enabled: yes
>>>>>>> detection-ports:
>>>>>>> dp: 139
>>>>>>> dns:
>>>>>>>
>>>>>>> tcp:
>>>>>>> enabled: yes
>>>>>>> detection-ports:
>>>>>>> dp: 53
>>>>>>> udp:
>>>>>>> enabled: yes
>>>>>>> detection-ports:
>>>>>>> dp: 53
>>>>>>> http:
>>>>>>> enabled: yes
>>>>>>>
>>>>>>> libhtp:
>>>>>>>
>>>>>>> default-config:
>>>>>>> personality: IDS
>>>>>>> request-body-limit: 3072
>>>>>>> response-body-limit: 3072
>>>>>>> request-body-minimal-inspect-size: 32kb
>>>>>>> request-body-inspect-window: 4kb
>>>>>>> response-body-minimal-inspect-size: 32kb
>>>>>>> response-body-inspect-window: 4kb
>>>>>>> double-decode-path: no
>>>>>>> double-decode-query: no
>>>>>>>
>>>>>>> server-config:
>>>>>>>
>>>>>>>
>>>>>>> profiling:
>>>>>>> rules:
>>>>>>> enabled: yes
>>>>>>> filename: rule_perf.log
>>>>>>> append: yes
>>>>>>> sort: avgticks
>>>>>>> limit: 100
>>>>>>>
>>>>>>> keywords:
>>>>>>> enabled: yes
>>>>>>> filename: keyword_perf.log
>>>>>>> append: yes
>>>>>>>
>>>>>>> packets:
>>>>>>> enabled: yes
>>>>>>> filename: packet_stats.log
>>>>>>> append: yes
>>>>>>>
>>>>>>> csv:
>>>>>>> enabled: no
>>>>>>> filename: packet_stats.csv
>>>>>>>
>>>>>>> locks:
>>>>>>> enabled: no
>>>>>>> filename: lock_stats.log
>>>>>>> append: yes
>>>>>>> coredump:
>>>>>>> max-dump: unlimited
>>>>>>>
>>>>>>> napatech:
>>>>>>> hba: -1
>>>>>>> use-all-streams: yes
>>>>>>> streams: [1, 2, 3]
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ############################################################################################################
>>>>>>>
>>>>>>> Stats:
>>>>>>> Date: 12/20/2015 -- 14:16:48
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------------------------------
>>>>>>> Num Rule Gid Rev Ticks % Checks
>>>>>>> Matches
>>>>>>> Max Ticks Avg Ticks Avg Match Avg No Match
>>>>>>> -------- ------------ -------- -------- ------------ ------
>>>>>>> --------
>>>>>>> -------- ----------- ----------- ----------- --------------
>>>>>>> 1 2021621 1 6 2472462 0.00 6
>>>>>>> 0
>>>>>>> 626418 412077.00 0.00 412077.00
>>>>>>> 2 2021529 1 3 2690096101 0.55 9463
>>>>>>> 0
>>>>>>> 4390290 284275.19 0.00 284275.19
>>>>>>> 3 2018005 1 6 1262809391 0.26 10390
>>>>>>> 0
>>>>>>> 14480148 121540.85 0.00 121540.85
>>>>>>> 4 2021993 1 2 3446612 0.00 34
>>>>>>> 0
>>>>>>> 158850 101370.94 0.00 101370.94
>>>>>>> 5 2018637 1 2 12935952 0.00 129
>>>>>>> 0
>>>>>>> 9942498 100278.70 0.00 100278.70
>>>>>>> 6 24787 1 3 9454741704 1.93 124029
>>>>>>> 124014
>>>>>>> 74818640 76230.09 0.00 630316113.60
>>>>>>> 7 2021276 1 3 75600 0.00 1
>>>>>>> 0
>>>>>>> 75600 75600.00 0.00 75600.00
>>>>>>> 8 25043 1 2 78320311 0.02 1043
>>>>>>> 0
>>>>>>> 7832052 75091.38 0.00 75091.38
>>>>>>> 9 2018457 1 1 789052728 0.16 10603
>>>>>>> 0
>>>>>>> 9742392 74417.87 0.00 74417.87
>>>>>>> 10 2022078 1 2 5036420 0.00 74
>>>>>>> 0
>>>>>>> 125892 68059.73 0.00 68059.73
>>>>>>> 11 32413 1 2 10957828 0.00 199
>>>>>>> 0
>>>>>>> 391374 55064.46 0.00 55064.46
>>>>>>> 12 2018604 1 5 319594 0.00 6
>>>>>>> 0
>>>>>>> 262260 53265.67 0.00 53265.67
>>>>>>> 13 31371 1 6 188502 0.00 4
>>>>>>> 0
>>>>>>> 76356 47125.50 0.00 47125.50
>>>>>>> 14 16425 1 17 1408770 0.00 30
>>>>>>> 30
>>>>>>> 56286 46959.00 46959.00 0.00
>>>>>>> 15 2014376 1 3 229054 0.00 5
>>>>>>> 0
>>>>>>> 63810 45810.80 0.00 45810.80
>>>>>>> 16 17733 1 12 3675860 0.00 86
>>>>>>> 52
>>>>>>> 74808 42742.56 49390.81 32574.65
>>>>>>> 17 2012970 1 2 2264024 0.00 56
>>>>>>> 0
>>>>>>> 89748 40429.00 0.00 40429.00
>>>>>>> 18 24791 1 3 4794438838 0.98 124030
>>>>>>> 124016
>>>>>>> 101016232 38655.48 0.00 342459917.00
>>>>>>> 19 2012969 1 2 2750828 0.00 73
>>>>>>> 0
>>>>>>> 239544 37682.58 0.00 37682.58
>>>>>>> 20 32412 1 2 14092239 0.00 374
>>>>>>> 0
>>>>>>> 151416 37679.78 0.00 37679.78
>>>>>>> 21 23224 1 6 37494 0.00 1
>>>>>>> 0
>>>>>>> 37494 37494.00 0.00 37494.00
>>>>>>> 22 32387 1 1 70722 0.00 2
>>>>>>> 0
>>>>>>> 69318 35361.00 0.00 35361.00
>>>>>>> 23 2012981 1 3 70560 0.00 2
>>>>>>> 0
>>>>>>> 37080 35280.00 0.00 35280.00
>>>>>>> 24 2017816 1 4 4166644 0.00 120
>>>>>>> 0
>>>>>>> 112896 34722.03 0.00 34722.03
>>>>>>> 25 2020781 1 4 5879307 0.00 175
>>>>>>> 0
>>>>>>> 249606 33596.04 0.00 33596.04
>>>>>>> 26 2018403 1 8 997676 0.00 30
>>>>>>> 0
>>>>>>> 46710 33255.87 0.00 33255.87
>>>>>>> 27 30134 1 1 4061564568 0.83 124035
>>>>>>> 124026
>>>>>>> 28903920 32745.31 0.00 451284952.00
>>>>>>> 28 2018264 1 8 641252 0.00 20
>>>>>>> 0
>>>>>>> 54720 32062.60 0.00 32062.60
>>>>>>> 29 17394 1 12 507772 0.00 16
>>>>>>> 16
>>>>>>> 61560 31735.75 31735.75 0.00
>>>>>>> 30 21288 1 8 2745335 0.00 87
>>>>>>> 87
>>>>>>> 71010 31555.57 31555.57 0.00
>>>>>>> 31 2018121 1 4 943150 0.00 30
>>>>>>> 0
>>>>>>> 56142 31438.33 0.00 31438.33
>>>>>>> 32 2014090 1 6 250596 0.00 8
>>>>>>> 0
>>>>>>> 65628 31324.50 0.00 31324.50
>>>>>>> 33 2007650 1 4 45356295 0.01 1455
>>>>>>> 0
>>>>>>> 4291452 31172.71 0.00 31172.71
>>>>>>> 34 31276 1 2 61704 0.00 2
>>>>>>> 0
>>>>>>> 31356 30852.00 0.00 30852.00
>>>>>>> 35 15468 1 13 29292 0.00 1
>>>>>>> 0
>>>>>>> 29292 29292.00 0.00 29292.00
>>>>>>> 36 2018581 1 2 875904 0.00 30
>>>>>>> 0
>>>>>>> 178812 29196.80 0.00 29196.80
>>>>>>> 37 2020791 1 2 4920368 0.00 175
>>>>>>> 0
>>>>>>> 225954 28116.39 0.00 28116.39
>>>>>>> 38 2016029 1 3 824358 0.00 30
>>>>>>> 0
>>>>>>> 36360 27478.60 0.00 27478.60
>>>>>>> 39 2020029 1 2 327394 0.00 12
>>>>>>> 0
>>>>>>> 47376 27282.83 0.00 27282.83
>>>>>>> 40 2012328 1 5 135298 0.00 5
>>>>>>> 0
>>>>>>> 33120 27059.60 0.00 27059.60
>>>>>>> 41 31274 1 1 1687170 0.00 63
>>>>>>> 0
>>>>>>> 155286 26780.48 0.00 26780.48
>>>>>>> 42 2019083 1 2 3530338 0.00 133
>>>>>>> 0
>>>>>>> 97164 26543.89 0.00 26543.89
>>>>>>> 43 31279 1 1 52524 0.00 2
>>>>>>> 0
>>>>>>> 26460 26262.00 0.00 26262.00
>>>>>>> 44 2014634 1 1 1757602 0.00 68
>>>>>>> 0
>>>>>>> 39690 25847.09 0.00 25847.09
>>>>>>> 45 2018295 1 3 900796 0.00 36
>>>>>>> 0
>>>>>>> 52560 25022.11 0.00 25022.11
>>>>>>> 46 2021245 1 4 747988 0.00 30
>>>>>>> 0
>>>>>>> 36090 24932.93 0.00 24932.93
>>>>>>> 47 24651 1 4 49284 0.00 2
>>>>>>> 0
>>>>>>> 24804 24642.00 0.00 24642.00
>>>>>>> 48 2020763 1 2 3023974 0.00 123
>>>>>>> 0
>>>>>>> 167220 24585.15 0.00 24585.15
>>>>>>> 49 2020800 1 2 3333830 0.00 136
>>>>>>> 0
>>>>>>> 87246 24513.46 0.00 24513.46
>>>>>>> 50 2020614 1 2 3913592 0.00 160
>>>>>>> 0
>>>>>>> 83772 24459.95 0.00 24459.95
>>>>>>> 51 2020609 1 4 3111426 0.00 130
>>>>>>> 0
>>>>>>> 89442 23934.05 0.00 23934.05
>>>>>>> 52 2019141 1 3 568974 0.00 24
>>>>>>> 0
>>>>>>> 28422 23707.25 0.00 23707.25
>>>>>>> 53 2019602 1 1 3171882 0.00 134
>>>>>>> 0
>>>>>>> 240822 23670.76 0.00 23670.76
>>>>>>> 54 2003287 1 6 466520 0.00 20
>>>>>>> 0
>>>>>>> 285516 23326.00 0.00 23326.00
>>>>>>> 55 2016922 1 10 3230312 0.00 139
>>>>>>> 0
>>>>>>> 91782 23239.65 0.00 23239.65
>>>>>>> 56 2020611 1 3 4594070 0.00 198
>>>>>>> 0
>>>>>>> 79056 23202.37 0.00 23202.37
>>>>>>> 57 17380 1 15 991624 0.00 43
>>>>>>> 43
>>>>>>> 59292 23061.02 23061.02 0.00
>>>>>>> 58 2020960 1 2 685418 0.00 30
>>>>>>> 0
>>>>>>> 30708 22847.27 0.00 22847.27
>>>>>>> 59 2018057 1 3 3583156 0.00 159
>>>>>>> 0
>>>>>>> 96030 22535.57 0.00 22535.57
>>>>>>> 60 2008782 1 5 2748390 0.00 122
>>>>>>> 0
>>>>>>> 69048 22527.79 0.00 22527.79
>>>>>>> 61 2020782 1 2 3130320 0.00 139
>>>>>>> 0
>>>>>>> 88110 22520.29 0.00 22520.29
>>>>>>> 62 2020613 1 3 3356494 0.00 150
>>>>>>> 0
>>>>>>> 82350 22376.63 0.00 22376.63
>>>>>>> 63 2020769 1 2 2636396 0.00 118
>>>>>>> 0
>>>>>>> 86958 22342.34 0.00 22342.34
>>>>>>> 64 2020586 1 3 2700166 0.00 122
>>>>>>> 0
>>>>>>> 90774 22132.51 0.00 22132.51
>>>>>>> 65 2020693 1 1 3049757 0.00 138
>>>>>>> 0
>>>>>>> 199368 22099.69 0.00 22099.69
>>>>>>> 66 2020799 1 2 3818200 0.00 173
>>>>>>> 0
>>>>>>> 120798 22070.52 0.00 22070.52
>>>>>>> 67 2006380 1 12 1300862 0.00 59
>>>>>>> 59
>>>>>>> 33912 22048.51 22048.51 0.00
>>>>>>> 68 2020786 1 2 3212030 0.00 146
>>>>>>> 0
>>>>>>> 101574 22000.21 0.00 22000.21
>>>>>>> 69 2017915 1 2 3046598 0.00 140
>>>>>>> 0
>>>>>>> 117576 21761.41 0.00 21761.41
>>>>>>> 70 2018880 1 2 3366284 0.00 155
>>>>>>> 0
>>>>>>> 94104 21717.96 0.00 21717.96
>>>>>>> 71 2020765 1 2 2808816 0.00 130
>>>>>>> 0
>>>>>>> 209520 21606.28 0.00 21606.28
>>>>>>> 72 2020784 1 2 2741601 0.00 127
>>>>>>> 0
>>>>>>> 95958 21587.41 0.00 21587.41
>>>>>>> 73 29189 1 1 1032558 0.00 48
>>>>>>> 0
>>>>>>> 33894 21511.62 0.00 21511.62
>>>>>>> 74 2020612 1 3 2967752 0.00 138
>>>>>>> 0
>>>>>>> 89262 21505.45 0.00 21505.45
>>>>>>> 75 2020773 1 2 3074056 0.00 144
>>>>>>> 0
>>>>>>> 83952 21347.61 0.00 21347.61
>>>>>>> 76 2017263 1 2 127458 0.00 6
>>>>>>> 0
>>>>>>> 23652 21243.00 0.00 21243.00
>>>>>>> 77 2018638 1 2 2883696 0.00 136
>>>>>>> 0
>>>>>>> 85752 21203.65 0.00 21203.65
>>>>>>> 78 2020766 1 2 2509209 0.00 119
>>>>>>> 0
>>>>>>> 211302 21085.79 0.00 21085.79
>>>>>>> 79 2018166 1 3 2357794 0.00 112
>>>>>>> 0
>>>>>>> 87714 21051.73 0.00 21051.73
>>>>>>> 80 2020795 1 2 2384326 0.00 114
>>>>>>> 0
>>>>>>> 84744 20915.14 0.00 20915.14
>>>>>>> 81 2020777 1 2 2078802 0.00 100
>>>>>>> 0
>>>>>>> 78840 20788.02 0.00 20788.02
>>>>>>> 82 2002878 1 8 41562 0.00 2
>>>>>>> 2
>>>>>>> 22698 20781.00 20781.00 0.00
>>>>>>> 83 2020798 1 2 2462538 0.00 119
>>>>>>> 0
>>>>>>> 81666 20693.60 0.00 20693.60
>>>>>>> 84 2021520 1 2 123524 0.00 6
>>>>>>> 0
>>>>>>> 27738 20587.33 0.00 20587.33
>>>>>>> 85 2017191 1 3 20466 0.00 1
>>>>>>> 0
>>>>>>> 20466 20466.00 0.00 20466.00
>>>>>>> 86 2017707 1 1 3006623 0.00 147
>>>>>>> 0
>>>>>>> 101628 20453.22 0.00 20453.22
>>>>>>> 87 2020606 1 4 3149168 0.00 154
>>>>>>> 0
>>>>>>> 199062 20449.14 0.00 20449.14
>>>>>>> 88 32986 1 1 81696 0.00 4
>>>>>>> 0
>>>>>>> 30438 20424.00 0.00 20424.00
>>>>>>> 89 2020793 1 2 2587716 0.00 127
>>>>>>> 0
>>>>>>> 221544 20375.72 0.00 20375.72
>>>>>>> 90 2020783 1 2 2678856 0.00 133
>>>>>>> 0
>>>>>>> 95346 20141.77 0.00 20141.77
>>>>>>> 91 2018153 1 4 1965170 0.00 98
>>>>>>> 0
>>>>>>> 81612 20052.76 0.00 20052.76
>>>>>>> 92 2020780 1 2 2449289 0.00 123
>>>>>>> 0
>>>>>>> 94428 19912.92 0.00 19912.92
>>>>>>> 93 2021065 1 2 2663188 0.00 134
>>>>>>> 0
>>>>>>> 205596 19874.54 0.00 19874.54
>>>>>>> 94 2020764 1 2 2873784 0.00 145
>>>>>>> 0
>>>>>>> 80622 19819.20 0.00 19819.20
>>>>>>> 95 2020694 1 1 2533778 0.00 128
>>>>>>> 0
>>>>>>> 89424 19795.14 0.00 19795.14
>>>>>>> 96 32396 1 2 39582 0.00 2
>>>>>>> 0
>>>>>>> 22158 19791.00 0.00 19791.00
>>>>>>> 97 2020770 1 2 2354850 0.00 119
>>>>>>> 0
>>>>>>> 95760 19788.66 0.00 19788.66
>>>>>>> 98 2016567 1 6 19674 0.00 1
>>>>>>> 0
>>>>>>> 19674 19674.00 0.00 19674.00
>>>>>>> 99 2021381 1 7 1075986 0.00 55
>>>>>>> 4
>>>>>>> 62748 19563.38 59044.50 16466.82
>>>>>>> 100 2020691 1 1 2385889 0.00 123
>>>>>>> 0
>>>>>>> 96552 19397.47 0.00 19397.47
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ############################################################################################################
>>>>>>> _______________________________________________
>>>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>>>> Site: http://suricata-ids.org | Support:
>>>>>>> http://suricata-ids.org/support/
>>>>>>> List:
>>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>> Suricata User Conference November 4 & 5 in Barcelona:
>>>>>>> http://oisfevents.net
>>>>>>
>>>>>>
>>>>>> Can you please post your suricata.log using pastebin or alike?
>>>>>> Please add "-v" to your start line.
>>>>>>
>>>>>> What is the output of -
>>>>>> modinfo pf_ring && cat /proc/net/pf_ring/info
>>>>>> ?
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>>
>>>>>>
>>>> Try increasing the value of max-panding-packets.
>>>> You dont have it in your yaml - so you need to add it in.
>>>>
>>>> Do you have anything else running on that box? (is it just Suri?)
>>>>
>>>> Thanks
>>>>
>>
>>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list