[Oisf-users] Updated to 2.0.6 and experiencing event logging slow down
Gary Faulkner
gfaulkner.nsm at gmail.com
Fri Feb 6 05:30:34 UTC 2015
I was recently updating some sensors that I inherited from a previous
admin from Suricata 1.4.7 to 2.0.6. The 1.4.7 install was happily
processing around 15Gbps of traffic (multiple sensors) with 15K rules
and less than 1% loss prior to the update. After the update I'm noticing
that Suricata is logging fewer and fewer events as time goes on and loss
as recorded in stats.log increases substantially over time as well. As
an example, we record HTTP logs with Suricata and for the first few
minutes the sensors will log thousands of events per second, but after
10 minutes or so that rate drops to a single event every few seconds.
The box doesn't appear to be running out of memory, and Suricata will
continue to run for hours in this state without crashing. Has anyone run
into anything like this?
For some additional background I'm using Suricata with PF_RING 6.0.2 and
the DNA drivers. PF_RING was also updated from 5.6.0 to 6.0.2. Traffic
is load balanced across two sensors that each have 16 cores (32
hyper-threading), 64GB RAM, and Intel 10G NICs. There were enough
changes to the default config files between the two versions that I
opted to diff the two and migrate our previous tuning settings to the
new config file where appropriate, but I left the tuning settings
largely untouched from what the previous set up was running. I've
attached a config dump and build info if that is helpful. I suspect the
config is suboptimal and I have experimented with some of the high
performance tuning settings I've seen on the list, but I've largely
found that I run out of RAM with them and Suricata never finishes
loading. I appreciate any insight the list can offer.
Regards,
Gary
-------------- next part --------------
./suricata --build-info
This is Suricata version 2.0.6 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.16, linked against LibHTP v0.5.16
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: yes
NFQueue support: no
NFLOG support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: no
Prelude support: no
PCRE jit: no
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix (--prefix): /nsm/suricata
Configuration directory (--sysconfdir): /nsm/suricata/etc/suricata/
Log directory (--localstatedir) : /nsm/suricata/var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
./suricata -c ../etc/suricata.yaml --dump-config
Initialization syslog logging with format "[%i] <%d> -- ".
5/2/2015 -- 23:14:21 - <Notice> - This is Suricata version 2.0.6 RELEASE
5/2/2015 -- 23:14:21 - <Info> - CPUs/cores online: 32
runmode = workers
host-mode = auto
pid-file = /nsm/suricata/var/run/suricata.pid
daemon-directory = /nsm/suricata/var/run
default-log-dir = /nsm/suricata/log
unix-command = (null)
unix-command.enabled = no
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = no
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = eve-log
outputs.1.eve-log = (null)
outputs.1.eve-log.enabled = no
outputs.1.eve-log.type = file
outputs.1.eve-log.filename = eve.json
outputs.1.eve-log.types = (null)
outputs.1.eve-log.types.0 = alert
outputs.1.eve-log.types.1 = http
outputs.1.eve-log.types.1.http = (null)
outputs.1.eve-log.types.1.http.extended = yes
outputs.1.eve-log.types.2 = dns
outputs.1.eve-log.types.3 = tls
outputs.1.eve-log.types.3.tls = (null)
outputs.1.eve-log.types.3.tls.extended = yes
outputs.1.eve-log.types.4 = files
outputs.1.eve-log.types.4.files = (null)
outputs.1.eve-log.types.4.files.force-magic = no
outputs.1.eve-log.types.4.files.force-md5 = no
outputs.1.eve-log.types.5 = ssh
outputs.2 = unified2-alert
outputs.2.unified2-alert = (null)
outputs.2.unified2-alert.enabled = yes
outputs.2.unified2-alert.filename = unified2.alert
outputs.2.unified2-alert.xff = (null)
outputs.2.unified2-alert.xff.enabled = no
outputs.2.unified2-alert.xff.mode = extra-data
outputs.2.unified2-alert.xff.header = X-Forwarded-For
outputs.3 = http-log
outputs.3.http-log = (null)
outputs.3.http-log.enabled = yes
outputs.3.http-log.filename = http.log
outputs.3.http-log.append = yes
outputs.3.http-log.customformat = %{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i ,%{User-agent}i, %H ,%m %h%u, %s %B %a:%p -> %A:%P
outputs.4 = tls-log
outputs.4.tls-log = (null)
outputs.4.tls-log.enabled = no
outputs.4.tls-log.filename = tls.log
outputs.4.tls-log.append = yes
outputs.4.tls-log.certs-log-dir = certs
outputs.5 = dns-log
outputs.5.dns-log = (null)
outputs.5.dns-log.enabled = no
outputs.5.dns-log.filename = dns.log
outputs.5.dns-log.append = yes
outputs.6 = pcap-info
outputs.6.pcap-info = (null)
outputs.6.pcap-info.enabled = no
outputs.7 = pcap-log
outputs.7.pcap-log = (null)
outputs.7.pcap-log.enabled = no
outputs.7.pcap-log.filename = log.pcap
outputs.7.pcap-log.limit = 1000mb
outputs.7.pcap-log.max-files = 2000
outputs.7.pcap-log.mode = normal
outputs.7.pcap-log.use-stream-depth = no
outputs.8 = alert-debug
outputs.8.alert-debug = (null)
outputs.8.alert-debug.enabled = no
outputs.8.alert-debug.filename = alert-debug.log
outputs.8.alert-debug.append = yes
outputs.9 = alert-prelude
outputs.9.alert-prelude = (null)
outputs.9.alert-prelude.enabled = no
outputs.9.alert-prelude.profile = suricata
outputs.9.alert-prelude.log-packet-content = no
outputs.9.alert-prelude.log-packet-header = yes
outputs.10 = stats
outputs.10.stats = (null)
outputs.10.stats.enabled = yes
outputs.10.stats.filename = stats.log
outputs.10.stats.interval = 8
outputs.11 = syslog
outputs.11.syslog = (null)
outputs.11.syslog.enabled = yes
outputs.11.syslog.identity = snort
outputs.11.syslog.facility = local5
outputs.12 = drop
outputs.12.drop = (null)
outputs.12.drop.enabled = no
outputs.12.drop.filename = drop.log
outputs.12.drop.append = yes
outputs.13 = file-store
outputs.13.file-store = (null)
outputs.13.file-store.enabled = no
outputs.13.file-store.log-dir = files
outputs.13.file-store.force-magic = no
outputs.13.file-store.force-md5 = no
outputs.14 = file-log
outputs.14.file-log = (null)
outputs.14.file-log.enabled = no
outputs.14.file-log.filename = files-json.log
outputs.14.file-log.append = yes
outputs.14.file-log.force-magic = no
outputs.14.file-log.force-md5 = no
magic-file = /usr/share/file/magic
nfq =
nflog = (null)
nflog.0 = group
nflog.0.group = 2
nflog.0.buffer-size = 18432
nflog.1 = group
nflog.1.group = default
nflog.1.qthreshold = 1
nflog.1.qtimeout = 100
nflog.1.max-size = 20000
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth0
af-packet.0.threads = 1
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.0.use-mmap = yes
af-packet.1 = interface
af-packet.1.interface = eth1
af-packet.1.threads = 1
af-packet.1.cluster-id = 98
af-packet.1.cluster-type = cluster_flow
af-packet.1.defrag = yes
af-packet.2 = interface
af-packet.2.interface = default
legacy = (null)
legacy.uricontent = enabled
detect-engine = (null)
detect-engine.0 = profile
detect-engine.0.profile = medium
detect-engine.1 = custom-values
detect-engine.1.custom-values = (null)
detect-engine.1.custom-values.toclient-src-groups = 2
detect-engine.1.custom-values.toclient-dst-groups = 2
detect-engine.1.custom-values.toclient-sp-groups = 2
detect-engine.1.custom-values.toclient-dp-groups = 3
detect-engine.1.custom-values.toserver-src-groups = 2
detect-engine.1.custom-values.toserver-dst-groups = 4
detect-engine.1.custom-values.toserver-sp-groups = 2
detect-engine.1.custom-values.toserver-dp-groups = 25
detect-engine.2 = sgh-mpm-context
detect-engine.2.sgh-mpm-context = auto
detect-engine.3 = inspection-recursion-limit
detect-engine.3.inspection-recursion-limit = 3000
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = decode-cpu-set
threading.cpu-affinity.2.decode-cpu-set = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu.0 = 0
threading.cpu-affinity.2.decode-cpu-set.cpu.1 = 1
threading.cpu-affinity.2.decode-cpu-set.mode = balanced
threading.cpu-affinity.3 = stream-cpu-set
threading.cpu-affinity.3.stream-cpu-set = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu.0 = 0-1
threading.cpu-affinity.4 = detect-cpu-set
threading.cpu-affinity.4.detect-cpu-set = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu.0 = all
threading.cpu-affinity.4.detect-cpu-set.mode = exclusive
threading.cpu-affinity.4.detect-cpu-set.prio = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low.0 = 0
threading.cpu-affinity.4.detect-cpu-set.prio.medium = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.4.detect-cpu-set.prio.high = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.high.0 = 3
threading.cpu-affinity.4.detect-cpu-set.prio.default = medium
threading.cpu-affinity.5 = verdict-cpu-set
threading.cpu-affinity.5.verdict-cpu-set = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu.0 = 0
threading.cpu-affinity.5.verdict-cpu-set.prio = (null)
threading.cpu-affinity.5.verdict-cpu-set.prio.default = high
threading.cpu-affinity.6 = reject-cpu-set
threading.cpu-affinity.6.reject-cpu-set = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu.0 = 0
threading.cpu-affinity.6.reject-cpu-set.prio = (null)
threading.cpu-affinity.6.reject-cpu-set.prio.default = low
threading.cpu-affinity.7 = output-cpu-set
threading.cpu-affinity.7.output-cpu-set = (null)
threading.cpu-affinity.7.output-cpu-set.cpu = (null)
threading.cpu-affinity.7.output-cpu-set.cpu.0 = all
threading.cpu-affinity.7.output-cpu-set.prio = (null)
threading.cpu-affinity.7.output-cpu-set.prio.default = medium
threading.detect-thread-ratio = 1.5
cuda = (null)
cuda.mpm = (null)
cuda.mpm.data-buffer-size-min-limit = 0
cuda.mpm.data-buffer-size-max-limit = 1500
cuda.mpm.cudabuffer-buffer-size = 500mb
cuda.mpm.gpu-transfer-size = 50mb
cuda.mpm.batching-timeout = 2000
cuda.mpm.device-id = 0
cuda.mpm.cuda-streams = 2
mpm-algo = ac
pattern-matcher = (null)
pattern-matcher.0 = b2gc
pattern-matcher.0.b2gc = (null)
pattern-matcher.0.b2gc.search-algo = B2gSearchBNDMq
pattern-matcher.0.b2gc.hash-size = low
pattern-matcher.0.b2gc.bf-size = medium
pattern-matcher.1 = b2gm
pattern-matcher.1.b2gm = (null)
pattern-matcher.1.b2gm.search-algo = B2gSearchBNDMq
pattern-matcher.1.b2gm.hash-size = low
pattern-matcher.1.b2gm.bf-size = medium
pattern-matcher.2 = b2g
pattern-matcher.2.b2g = (null)
pattern-matcher.2.b2g.search-algo = B2gSearchBNDMq
pattern-matcher.2.b2g.hash-size = low
pattern-matcher.2.b2g.bf-size = medium
pattern-matcher.3 = b3g
pattern-matcher.3.b3g = (null)
pattern-matcher.3.b3g.search-algo = B3gSearchBNDMq
pattern-matcher.3.b3g.hash-size = low
pattern-matcher.3.b3g.bf-size = medium
pattern-matcher.4 = wumanber
pattern-matcher.4.wumanber = (null)
pattern-matcher.4.wumanber.hash-size = low
pattern-matcher.4.wumanber.bf-size = medium
defrag = (null)
defrag.memcap = 1gb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 1gb
flow.hash-size = 262144
flow.prealloc = 50000
flow.emergency-recovery = 30
vlan = (null)
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 30
flow-timeouts.default.established = 300
flow-timeouts.default.closed = 0
flow-timeouts.default.emergency-new = 10
flow-timeouts.default.emergency-established = 100
flow-timeouts.default.emergency-closed = 0
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 60
flow-timeouts.tcp.established = 30
flow-timeouts.tcp.closed = 120
flow-timeouts.tcp.emergency-new = 10
flow-timeouts.tcp.emergency-established = 300
flow-timeouts.tcp.emergency-closed = 20
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 30
flow-timeouts.udp.established = 300
flow-timeouts.udp.emergency-new = 10
flow-timeouts.udp.emergency-established = 100
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 30
flow-timeouts.icmp.established = 300
flow-timeouts.icmp.emergency-new = 10
flow-timeouts.icmp.emergency-established = 100
stream = (null)
stream.memcap = 4gb
stream.max-sessions = 20000000
stream.prealloc-sessions = 10000000
stream.checksum-validation = no
stream.inline = no
stream.reassembly = (null)
stream.reassembly.memcap = 4gb
stream.reassembly.depth = 12mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 16777216
logging = (null)
logging.default-log-level = info
logging.default-output-filter =
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = yes
logging.outputs.1.file.filename = /nsm/suricata/log/suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = yes
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> --
mpipe = (null)
mpipe.load-balance = dynamic
mpipe.iqueue-packets = 2048
mpipe.inputs = (null)
mpipe.inputs.0 = interface
mpipe.inputs.0.interface = xgbe2
mpipe.inputs.1 = interface
mpipe.inputs.1.interface = xgbe3
mpipe.inputs.2 = interface
mpipe.inputs.2.interface = xgbe4
mpipe.stack = (null)
mpipe.stack.size128 = 0
mpipe.stack.size256 = 9
mpipe.stack.size512 = 0
mpipe.stack.size1024 = 0
mpipe.stack.size1664 = 7
mpipe.stack.size4096 = 0
mpipe.stack.size10386 = 0
mpipe.stack.size16384 = 0
pfring = (null)
pfring.0 = interface
pfring.0.interface = dna0 at 0
pfring.0.threads = 1
pfring.1 = interface
pfring.1.interface = dna0 at 1
pfring.1.threads = 1
pfring.2 = interface
pfring.2.interface = dna0 at 2
pfring.2.threads = 1
pfring.3 = interface
pfring.3.interface = dna0 at 3
pfring.3.threads = 1
pfring.4 = interface
pfring.4.interface = dna0 at 4
pfring.4.threads = 1
pfring.5 = interface
pfring.5.interface = dna0 at 5
pfring.5.threads = 1
pfring.6 = interface
pfring.6.interface = dna0 at 6
pfring.6.threads = 1
pfring.7 = interface
pfring.7.interface = dna1 at 0
pfring.7.threads = 1
pfring.8 = interface
pfring.8.interface = dna1 at 1
pfring.8.threads = 1
pfring.9 = interface
pfring.9.interface = dna1 at 2
pfring.9.threads = 1
pfring.10 = interface
pfring.10.interface = dna1 at 3
pfring.10.threads = 1
pfring.11 = interface
pfring.11.interface = dna1 at 4
pfring.11.threads = 1
pfring.12 = interface
pfring.12.interface = dna1 at 5
pfring.12.threads = 1
pfring.13 = interface
pfring.13.interface = dna1 at 6
pfring.13.threads = 1
pfring.14 = interface
pfring.14.interface = dna2 at 0
pfring.14.threads = 1
pfring.15 = interface
pfring.15.interface = dna2 at 1
pfring.15.threads = 1
pfring.16 = interface
pfring.16.interface = dna2 at 2
pfring.16.threads = 1
pfring.17 = interface
pfring.17.interface = dna2 at 3
pfring.17.threads = 1
pfring.18 = interface
pfring.18.interface = dna2 at 4
pfring.18.threads = 1
pfring.19 = interface
pfring.19.interface = dna2 at 5
pfring.19.threads = 1
pfring.20 = interface
pfring.20.interface = dna2 at 6
pfring.20.threads = 1
pfring.21 = interface
pfring.21.interface = dna3 at 0
pfring.21.threads = 1
pfring.22 = interface
pfring.22.interface = dna3 at 1
pfring.22.threads = 1
pfring.23 = interface
pfring.23.interface = dna3 at 2
pfring.23.threads = 1
pfring.24 = interface
pfring.24.interface = dna3 at 3
pfring.24.threads = 1
pfring.25 = interface
pfring.25.interface = dna3 at 4
pfring.25.threads = 1
pfring.26 = interface
pfring.26.interface = dna3 at 5
pfring.26.threads = 1
pfring.27 = interface
pfring.27.interface = dna3 at 6
pfring.27.threads = 1
pcap = (null)
pcap.0 = interface
pcap.0.interface = eth0
pcap.1 = interface
pcap.1.interface = default
pcap-file = (null)
pcap-file.checksum-checks = auto
ipfw =
default-rule-path = /nsm/suricata/etc/rules
rule-files = (null)
rule-files.0 = attack_response.rules
rule-files.1 = current_events.rules
rule-files.2 = files.rules
rule-files.3 = policy.rules
rule-files.4 = rbn-malvertisers.rules
rule-files.5 = rbn.rules
rule-files.6 = web_server.rules
rule-files.7 = web_specific_apps.rules
rule-files.8 = web_client.rules
rule-files.9 = botcc.rules
rule-files.10 = compromised.rules
rule-files.11 = dshield.rules
rule-files.12 = user_agents.rules
rule-files.13 = exploit.rules
rule-files.14 = http-events.rules
rule-files.15 = malware.rules
rule-files.16 = mobile_malware.rules
rule-files.17 = local.rules
rule-files.18 = trojan.rules
rule-files.19 = sql.rules
rule-files.20 = web_specific_apps.rules
rule-files.21 = dos.rules
classification-file = /nsm/suricata/etc/rules/classification.config
reference-config-file = /nsm/suricata/etc/rules/reference.config
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [Redacted]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = 80
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
action-order = (null)
action-order.0 = pass
action-order.1 = drop
action-order.2 = reject
action-order.3 = alert
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.linux.0 = 10.0.0.0/8
host-os-policy.linux.1 = 192.168.1.100
host-os-policy.linux.2 = 8762:2352:6241:7245:E000:0000:0000:0000
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.solaris.0 = ::1
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
asn1-max-frames = 256
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
app-layer = (null)
app-layer.protocols = (null)
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443
app-layer.protocols.dcerpc = (null)
app-layer.protocols.dcerpc.enabled = yes
app-layer.protocols.ftp = (null)
app-layer.protocols.ftp.enabled = yes
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
app-layer.protocols.smtp = (null)
app-layer.protocols.smtp.enabled = yes
app-layer.protocols.imap = (null)
app-layer.protocols.imap.enabled = detection-only
app-layer.protocols.msn = (null)
app-layer.protocols.msn.enabled = detection-only
app-layer.protocols.smb = (null)
app-layer.protocols.smb.enabled = yes
app-layer.protocols.smb.detection-ports = (null)
app-layer.protocols.smb.detection-ports.dp = 139
app-layer.protocols.dns = (null)
app-layer.protocols.dns.tcp = (null)
app-layer.protocols.dns.tcp.enabled = yes
app-layer.protocols.dns.tcp.detection-ports = (null)
app-layer.protocols.dns.tcp.detection-ports.dp = 53
app-layer.protocols.dns.udp = (null)
app-layer.protocols.dns.udp.enabled = yes
app-layer.protocols.dns.udp.detection-ports = (null)
app-layer.protocols.dns.udp.detection-ports.dp = 53
app-layer.protocols.http = (null)
app-layer.protocols.http.enabled = yes
app-layer.protocols.http.libhtp = (null)
app-layer.protocols.http.libhtp.default-config = (null)
app-layer.protocols.http.libhtp.default-config.personality = IDS
app-layer.protocols.http.libhtp.default-config.request-body-limit = 3072
app-layer.protocols.http.libhtp.default-config.response-body-limit = 3072
app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.double-decode-path = no
app-layer.protocols.http.libhtp.default-config.double-decode-query = no
app-layer.protocols.http.libhtp.server-config =
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.sort = avgticks
profiling.rules.limit = 100
profiling.keywords = (null)
profiling.keywords.enabled = yes
profiling.keywords.filename = keyword_perf.log
profiling.keywords.append = yes
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = packet_stats.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = lock_stats.log
profiling.locks.append = yes
coredump = (null)
coredump.max-dump = unlimited
napatech = (null)
napatech.hba = -1
napatech.use-all-streams = yes
napatech.streams = (null)
napatech.streams.0 = 1
napatech.streams.1 = 2
napatech.streams.2 = 3
More information about the Oisf-users
mailing list