[Oisf-users] Suricata generating fewer alerts than Snort

Spransy, Derek dsprans at emory.edu
Fri Oct 23 13:14:20 UTC 2015 

Hi Peter,

Here's the output:

filename:       /lib/modules/3.10.0-229.7.2.el7.x86_64/extra/pf_ring.ko
alias:          net-pf-27
description:    Packet capture acceleration and analysis
author:         ntop.org
license:        GPL
rhelversion:    7.1
srcversion:     2529895847C1F1B8C2B43D8
depends:        
vermagic:       3.10.0-229.7.2.el7.x86_64 SMP mod_unload modversions 
parm:           min_num_slots:Min number of ring slots (uint)
parm:           perfect_rules_hash_size:Perfect rules hash size (uint)
parm:           transparent_mode:(deprecated) (uint)
parm:           enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint)
parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm:           enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
parm:           enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
parm:           quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)
PF_RING Version          : 6.0.3 (6.0.3-stable:8994076d9761315040ed29a0d5825cb74c20c078)
Total rings              : 0

Standard (non DNA/ZC) Options
Ring slots               : 4096
Slot version             : 16
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

The interface we're using:
Name:              enp2s0f0
Index:             6
Address:           90:E2:BA:--:--:--
Polling Mode:      NAPI/ZC
Type:              Ethernet
Family:            Intel ixgbe 82599
Max # TX Queues:   1
# Used RX Queues:  1
Num RX Slots:      8192
Num TX Slots:      8192

On this box we're spinning up 73 detect threads and 3 management threads

Thanks,
Derek
________________________________________
From: Peter Manev <petermanev at gmail.com>
Sent: Friday, October 23, 2015 3:32 AM
To: Spransy, Derek
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort

On Thu, Oct 22, 2015 at 8:39 PM, Spransy, Derek <dsprans at emory.edu> wrote:
> Hi Peter,
>
> It is currently set to 60,000

Hi Derek,

What is the output of -
modinfo pf_ring && cat /proc/net/pf_ring/info

How many threads do you use (per interfaces?)?


Thank you

> ________________________________________
> From: Peter Manev <petermanev at gmail.com>
> Sent: Thursday, October 22, 2015 2:33 PM
> To: Spransy, Derek
> Cc: Cooper F. Nelson; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
>
>> On 22 okt. 2015, at 20:28, Spransy, Derek <dsprans at emory.edu> wrote:
>>
>> Hi Cooper,
>>
>> Thanks for the suggestions. We're using pfring autofp mode (using ZC drivers) rather than AF_Packet, though I could try that configuration. RSS is, I believe, disabled in ZC mode. I haven't seen a lot of documentation out there about using PF_RING ZC drivers, so perhaps I've missed something in that regard.
>>
>> Also we are using Suricata optimized rules:
>> ** GET http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz ==> 200 OK (1s)
>>
>> I disabled NIC offloading features for that interface as well, but it doesn't appear to have made any significant difference.
>>
>
> What is your max pending packets value (in suricata.yaml)?
>
>
>> Thanks,
>> Derek
>> ________________________________________
>> From: Cooper F. Nelson <cnelson at ucsd.edu>
>> Sent: Thursday, October 22, 2015 1:52 PM
>> To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I experienced the exact opposite effect migrating from snort to
>> suricata, so I think something is wrong with your deployment.
>>
>> First off, have you tried the latest version of suricata using 'workers'
>> runmode with zero-copy/AF_PACKET mode?  Details described here:
>>
>>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>>
>> Make sure all NIC offloading features are disabled as per this article
>>
>>> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
>>
>> As a sanity check, are you sure you are using a ruleset tuned for
>> suricata, like this?
>>
>>> https://rules.emergingthreats.net/open/suricata/
>>
>> - -Coop
>>
>>
>>> On 10/22/2015 10:43 AM, Spransy, Derek wrote:
>>> I would have expected just the opposite as our Snort box is more
>>> underpowered and has a higher packet drop rate. Can anyone point me in a
>>> direction to troubleshoot? Generally our packet drops seems to be
>>> relatively low, (~2%) on the Suricata system. However, I don't know how
>>> accurate these are as sometimes Suricata reports packet drop percentages
>>> higher than 100%, which in itself seems really rather odd.
>>>
>>> Thanks,
>>> Derek
>>>
>>> ------------------------------------------------------------------------
>>
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJWKSJwAAoJEKIFRYQsa8FWvfEIAJzq7yqdbqJH7CoBh/e7VE97
>> MOxi8KMvw2BgmBW9+X188+U6znjgWGa2ebk4Fh2XrUAD6Qau7KW5omCJyGIj2Eof
>> Bq5kpg6+thRKx++hMuXESU/k/RDLJRK7nLtUcgOcvizYRG4RS+ZajgMhg0NsK5nZ
>> u2xS02AhHTxhWe22ejdFh7Uu3dfXQApCQbubCJS/AbVNOSln51OpxSq5jpLBDFu5
>> t4Xxx2INFP+TLa1twPzk7WtSvWlnYPGgHLwsyr4nURuusydd47xUP++mRFzdC6Is
>> 5KAb3i+XuY1TqZ9gI3+QoEdUOK319z8dzbNnYGpO8A/NmI0YDe8rTqdLSFeI6l8=
>> =IRyb
>> -----END PGP SIGNATURE-----
>>
>> ________________________________
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



--
Regards,
Peter Manev

More information about the Oisf-users mailing list