[Oisf-users] suricata stops working
Pedro Neves
pmneves at gmail.com
Tue Jul 21 14:59:31 UTC 2015
>> Do you by any chance hit the swap ?
Swap = 0 used
root at ronin01:~# top
top - 07:52:12 up 1:36, 3 users, load average: 0.68, 0.21, 0.12
Tasks: 105 total, 2 running, 103 sleeping, 0 stopped, 0 zombie
%Cpu(s): 1.2 us, 0.4 sy, 0.0 ni, 98.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 2049752 total, 1193056 used, 856696 free, 78868 buffers
KiB Swap: 1044476 total, 0 used, 1044476 free. 513156 cached Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
17646 root 20 0 736904 395912 8756 S 17.6 19.3 0:20.66 Suricata-Main
918 root 20 0 40352 31372 4548 S 1.0 1.5 0:19.15 ourmon
1047 mysql 20 0 558380 54252 10460 S 0.7 2.6 0:04.00 mysqld
1580 pedro 20 0 105640 4656 3664 S 0.3 0.2 0:00.96 sshd
1845 root 20 0 278640 17124 11668 S 0.3 0.8 0:05.14 smbd
17884 root 20 0 24960 3012 2516 R 0.3 0.1 0:00.01 top
1 root 20 0 33532 4004 2632 S 0.0 0.2 0:00.98 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:03.01 ksoftirqd/0
>> This looks strange - for 5hrs your stats seem very low..... How much traffic are you inspecting ?
There is alot of traffic going through.
But is not captured by Suricata.
I am attaching statslog2.txt where you can see the number of packets
captured increasing.
It does that in the beginning , and then it stops capturing (sometimes
is almost immediately, other times it takes a few seconds until it stops
capturing).
Pedro
On 21-07-2015 3:37 PM, Peter Manev wrote:
>
>> On 21 jul 2015, at 15:53, Pedro Neves <pmneves at gmail.com> wrote:
>>
>> Hi,
>>
>> I am new to Suricata.
>> My server info:
>> VM Guest (using VirtualBox 5.0) with 1Gb Ram
>> Ubuntu server 14.04
>> Suricata (2.0.8)
>>
>> It worked fine until yesterday.
>> Now it stoped working a few seconds after I run it.
>> By stop working I mean:
>> - stops logging to fast.log
>> - on the stats.log I can see that almost every variable freezes (is the same over time)
>> decoder.pkts
>> decoder.bytes
>> ...
>>
>> This happens with pcap live mode and pf_ring (installed to check if it would solve the problem)
>> LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0 -v --init-errors-fatal # default mode
>>
>> LD_LIBRARY_PATH=/usr/local/pfring/lib /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow --runmode=autofp -v --init-errors-fatal # pf_ring
>>
>>
>> When I kill the suricata process I get:
>> 19/7/2015 -- 07:36:07 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "RxPcapeth01". Killing engine
>>
>> I get "RxPFR1" or "RxPcapeth01" depending if I am running in pf_ring mode or not.
>>
>> When Suricata stops working, I can see traffic on the card using tcpdump "tcpdump -nni eth0 icmp".
>>
>>
>> I would appreciate any help.
>> Thanks,
>>
>
> Do you by any chance hit the swap ?
>
> This looks strange - for 5hrs your stats seem very low..... How much traffic are you inspecting ?
>
>
>
>> Pedro
>> <statslog.txt>
>> <suricata_build-info_config.txt>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
-------------------------------------------------------------------
Date: 7/20/2015 -- 02:10:15 (uptime: 0d, 00h 00m 17s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPFR1 | 442
capture.kernel_drops | RxPFR1 | 0
dns.memuse | RxPFR1 | 247
dns.memcap_state | RxPFR1 | 0
dns.memcap_global | RxPFR1 | 0
decoder.pkts | RxPFR1 | 442
decoder.bytes | RxPFR1 | 232390
decoder.invalid | RxPFR1 | 0
decoder.ipv4 | RxPFR1 | 437
decoder.ipv6 | RxPFR1 | 0
decoder.ethernet | RxPFR1 | 442
decoder.raw | RxPFR1 | 0
decoder.sll | RxPFR1 | 0
decoder.tcp | RxPFR1 | 406
decoder.udp | RxPFR1 | 12
decoder.sctp | RxPFR1 | 0
decoder.icmpv4 | RxPFR1 | 15
decoder.icmpv6 | RxPFR1 | 0
decoder.ppp | RxPFR1 | 0
decoder.pppoe | RxPFR1 | 0
decoder.gre | RxPFR1 | 0
decoder.vlan | RxPFR1 | 0
decoder.vlan_qinq | RxPFR1 | 0
decoder.teredo | RxPFR1 | 0
decoder.ipv4_in_ipv6 | RxPFR1 | 0
decoder.ipv6_in_ipv6 | RxPFR1 | 0
decoder.avg_pkt_size | RxPFR1 | 525
decoder.max_pkt_size | RxPFR1 | 1514
defrag.ipv4.fragments | RxPFR1 | 0
defrag.ipv4.reassembled | RxPFR1 | 0
defrag.ipv4.timeouts | RxPFR1 | 0
defrag.ipv6.fragments | RxPFR1 | 0
defrag.ipv6.reassembled | RxPFR1 | 0
defrag.ipv6.timeouts | RxPFR1 | 0
defrag.max_frag_hits | RxPFR1 | 0
tcp.sessions | Detect | 0
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 393216
tcp.syn | Detect | 0
tcp.synack | Detect | 0
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 0
http.memcap | Detect | 0
detect.alert | Detect | 15
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7080064
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
-------------------------------------------------------------------
Date: 7/20/2015 -- 02:10:22 (uptime: 0d, 00h 00m 24s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPFR1 | 784
capture.kernel_drops | RxPFR1 | 0
dns.memuse | RxPFR1 | 495
dns.memcap_state | RxPFR1 | 0
dns.memcap_global | RxPFR1 | 0
decoder.pkts | RxPFR1 | 784
decoder.bytes | RxPFR1 | 443090
decoder.invalid | RxPFR1 | 0
decoder.ipv4 | RxPFR1 | 776
decoder.ipv6 | RxPFR1 | 0
decoder.ethernet | RxPFR1 | 784
decoder.raw | RxPFR1 | 0
decoder.sll | RxPFR1 | 0
decoder.tcp | RxPFR1 | 721
decoder.udp | RxPFR1 | 24
decoder.sctp | RxPFR1 | 0
decoder.icmpv4 | RxPFR1 | 27
decoder.icmpv6 | RxPFR1 | 0
decoder.ppp | RxPFR1 | 0
decoder.pppoe | RxPFR1 | 0
decoder.gre | RxPFR1 | 0
decoder.vlan | RxPFR1 | 0
decoder.vlan_qinq | RxPFR1 | 0
decoder.teredo | RxPFR1 | 0
decoder.ipv4_in_ipv6 | RxPFR1 | 0
decoder.ipv6_in_ipv6 | RxPFR1 | 0
decoder.avg_pkt_size | RxPFR1 | 565
decoder.max_pkt_size | RxPFR1 | 1514
defrag.ipv4.fragments | RxPFR1 | 0
defrag.ipv4.reassembled | RxPFR1 | 0
defrag.ipv4.timeouts | RxPFR1 | 0
defrag.ipv6.fragments | RxPFR1 | 0
defrag.ipv6.reassembled | RxPFR1 | 0
defrag.ipv6.timeouts | RxPFR1 | 0
defrag.max_frag_hits | RxPFR1 | 0
tcp.sessions | Detect | 0
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 393216
tcp.syn | Detect | 0
tcp.synack | Detect | 0
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 0
http.memcap | Detect | 0
detect.alert | Detect | 27
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7082656
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
-------------------------------------------------------------------
Date: 7/20/2015 -- 02:10:30 (uptime: 0d, 00h 00m 32s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPFR1 | 1382
capture.kernel_drops | RxPFR1 | 0
dns.memuse | RxPFR1 | 3889
dns.memcap_state | RxPFR1 | 0
dns.memcap_global | RxPFR1 | 0
decoder.pkts | RxPFR1 | 1382
decoder.bytes | RxPFR1 | 791089
decoder.invalid | RxPFR1 | 0
decoder.ipv4 | RxPFR1 | 1373
decoder.ipv6 | RxPFR1 | 0
decoder.ethernet | RxPFR1 | 1382
decoder.raw | RxPFR1 | 0
decoder.sll | RxPFR1 | 0
decoder.tcp | RxPFR1 | 1278
decoder.udp | RxPFR1 | 46
decoder.sctp | RxPFR1 | 0
decoder.icmpv4 | RxPFR1 | 43
decoder.icmpv6 | RxPFR1 | 0
decoder.ppp | RxPFR1 | 0
decoder.pppoe | RxPFR1 | 0
decoder.gre | RxPFR1 | 0
decoder.vlan | RxPFR1 | 0
decoder.vlan_qinq | RxPFR1 | 0
decoder.teredo | RxPFR1 | 0
decoder.ipv4_in_ipv6 | RxPFR1 | 0
decoder.ipv6_in_ipv6 | RxPFR1 | 0
decoder.avg_pkt_size | RxPFR1 | 572
decoder.max_pkt_size | RxPFR1 | 1514
defrag.ipv4.fragments | RxPFR1 | 0
defrag.ipv4.reassembled | RxPFR1 | 0
defrag.ipv4.timeouts | RxPFR1 | 0
defrag.ipv6.fragments | RxPFR1 | 0
defrag.ipv6.reassembled | RxPFR1 | 0
defrag.ipv6.timeouts | RxPFR1 | 0
defrag.max_frag_hits | RxPFR1 | 0
tcp.sessions | Detect | 1
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 393216
tcp.syn | Detect | 1
tcp.synack | Detect | 1
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 12316544
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 0
http.memcap | Detect | 0
detect.alert | Detect | 43
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7085824
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
-------------------------------------------------------------------
Date: 7/20/2015 -- 02:10:37 (uptime: 0d, 00h 00m 39s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPFR1 | 1928
capture.kernel_drops | RxPFR1 | 0
dns.memuse | RxPFR1 | 4485
dns.memcap_state | RxPFR1 | 0
dns.memcap_global | RxPFR1 | 0
decoder.pkts | RxPFR1 | 1928
decoder.bytes | RxPFR1 | 1078269
decoder.invalid | RxPFR1 | 0
decoder.ipv4 | RxPFR1 | 1919
decoder.ipv6 | RxPFR1 | 0
decoder.ethernet | RxPFR1 | 1928
decoder.raw | RxPFR1 | 0
decoder.sll | RxPFR1 | 0
decoder.tcp | RxPFR1 | 1790
decoder.udp | RxPFR1 | 61
decoder.sctp | RxPFR1 | 0
decoder.icmpv4 | RxPFR1 | 59
decoder.icmpv6 | RxPFR1 | 0
decoder.ppp | RxPFR1 | 0
decoder.pppoe | RxPFR1 | 0
decoder.gre | RxPFR1 | 0
decoder.vlan | RxPFR1 | 0
decoder.vlan_qinq | RxPFR1 | 0
decoder.teredo | RxPFR1 | 0
decoder.ipv4_in_ipv6 | RxPFR1 | 0
decoder.ipv6_in_ipv6 | RxPFR1 | 0
decoder.avg_pkt_size | RxPFR1 | 559
decoder.max_pkt_size | RxPFR1 | 1514
defrag.ipv4.fragments | RxPFR1 | 0
defrag.ipv4.reassembled | RxPFR1 | 0
defrag.ipv4.timeouts | RxPFR1 | 0
defrag.ipv6.fragments | RxPFR1 | 0
defrag.ipv6.reassembled | RxPFR1 | 0
defrag.ipv6.timeouts | RxPFR1 | 0
defrag.max_frag_hits | RxPFR1 | 0
tcp.sessions | Detect | 3
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 393216
tcp.syn | Detect | 3
tcp.synack | Detect | 3
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 12316544
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 3250
http.memcap | Detect | 0
detect.alert | Detect | 59
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7089568
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
More information about the Oisf-users
mailing list