[Oisf-users] Questions on suricata configuration
unite
unite at openmailbox.org
Tue Jan 20 15:05:19 UTC 2015
On 2015-01-20 16:30, Andreas Herz wrote:
> On 20/01/15 at 16:22, unite wrote:
>> b) If my iptables rules are like this and the rule is set to "alert":
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 1 84 NFQUEUE all -- * * 172.25.25.0/24
>> 0.0.0.0/0 NFQUEUE num 0
>> 1 84 DROP icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> The alert is generated (in fast.log, drop.log is empty)and packet is
>> being
>> dropped. I'm pretty sure that it is the same packet - counters for
>> packets/bytes increment simultaneously and on same values, and also my
>> testing host is the only one in the testing network - no one can
>> generate it
>> except me.
>
> That's strange, how do you start suricata in inline mode exactly?
> (arguments)
> I will check on my setup if i can reproduce it.
>
I start it in the way:
sudo suricata -c /etc/suricata/suricata.yaml -q 0 -D
>> My config at the moment is not far away from default - so here is the
>> diff
>> between them:
>> sudo diff suricata-2.0.5/suricata.yaml /etc/suricata/suricata.yaml
>
> I would encourage you to update to 2.0.6, there is a relevant bugfix.
>
> I guess (to lazy to check) the enabled lines are the ones for logging?!
Yes, enabled yes/no lines are used for logging.
>
> I'm not sure how the profile option changes the behaviour but the rest
> looks fine.
As I've read in the guide, it should increase performance in cost of
increased memory usage.
>
>> Thanks. If so (I mean the bug) will it be OK to just restart suricata
>> by
>> killing it's PID by kill $pid-of-suricata and then start it again? Or
>> it
>> might cause some bad consequences?
>
> This is fine and is one thing i do, but with that you should consider
> checkinf if the -S TERM worked. I have some issue with that and i'm
> sending -9 after some seconds if suricata got stucked, to prevent
> massive drop:
>
> https://redmine.openinfosecfoundation.org/issues/1360
>
> But not sure if i'm the only one with that issue.
--
With kind regards,
Alex
More information about the Oisf-users
mailing list