[Oisf-users] Questions on suricata configuration

unite unite at openmailbox.org
Tue Jan 20 15:05:19 UTC 2015 

On 2015-01-20 16:30, Andreas Herz wrote:
> On 20/01/15 at 16:22, unite wrote:
>> b) If my iptables rules are like this and the rule is set to "alert":
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     1     84 NFQUEUE    all  --  *      *       172.25.25.0/24
>> 0.0.0.0/0            NFQUEUE num 0
>>     1     84 DROP       icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>> The alert is generated (in fast.log, drop.log is empty)and packet is 
>> being
>> dropped. I'm pretty sure that it is the same packet - counters for
>> packets/bytes increment simultaneously and on same values, and also my
>> testing host is the only one in the testing network - no one can 
>> generate it
>> except me.
> 
> That's strange, how do you start suricata in inline mode exactly?
> (arguments)
> I will check on my setup if i can reproduce it.
> 

I start it in the way:

sudo suricata -c /etc/suricata/suricata.yaml -q 0 -D

>> My config at the moment is not far away from default - so here is the 
>> diff
>> between them:
>> sudo diff suricata-2.0.5/suricata.yaml /etc/suricata/suricata.yaml
> 
> I would encourage you to update to 2.0.6, there is a relevant bugfix.
> 
> I guess (to lazy to check) the enabled lines are the ones for logging?!

Yes, enabled yes/no lines are used for logging.

> 
> I'm not sure how the profile option changes the behaviour but the rest
> looks fine.

As I've read in the guide, it should increase performance in cost of 
increased memory usage.

> 
>> Thanks. If so (I mean the bug) will it be OK to just restart suricata 
>> by
>> killing it's PID by kill $pid-of-suricata and then start it again? Or 
>> it
>> might cause some bad consequences?
> 
> This is fine and is one thing i do, but with that you should consider
> checkinf if the -S TERM worked. I have some issue with that and i'm
> sending -9 after some seconds if suricata got stucked, to prevent
> massive drop:
> 
> https://redmine.openinfosecfoundation.org/issues/1360
> 
> But not sure if i'm the only one with that issue.

-- 
With kind regards,
Alex

More information about the Oisf-users mailing list