[Oisf-users] Suricata generating fewer alerts than Snort
Yasha Zislin
coolyasha at hotmail.com
Mon Oct 26 11:12:40 UTC 2015
I am running PF_RING as well and I've noticed that you dont want to spin up more detect threads than number of logical CPUs that you have.Unless you have 76 logical CPUs, I would recommend reducing that.Also, if you have any packet loss, then number of alerts would go down.
BTW, I've used Snort before and now I am getting more alerts with Suricata than before.
> From: dsprans at emory.edu
> To: petermanev at gmail.com
> Date: Fri, 23 Oct 2015 13:14:20 +0000
> CC: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
>
> Hi Peter,
>
> Here's the output:
>
> filename: /lib/modules/3.10.0-229.7.2.el7.x86_64/extra/pf_ring.ko
> alias: net-pf-27
> description: Packet capture acceleration and analysis
> author: ntop.org
> license: GPL
> rhelversion: 7.1
> srcversion: 2529895847C1F1B8C2B43D8
> depends:
> vermagic: 3.10.0-229.7.2.el7.x86_64 SMP mod_unload modversions
> parm: min_num_slots:Min number of ring slots (uint)
> parm: perfect_rules_hash_size:Perfect rules hash size (uint)
> parm: transparent_mode:(deprecated) (uint)
> parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint)
> parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
> parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
> parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
> parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)
> PF_RING Version : 6.0.3 (6.0.3-stable:8994076d9761315040ed29a0d5825cb74c20c078)
> Total rings : 0
>
> Standard (non DNA/ZC) Options
> Ring slots : 4096
> Slot version : 16
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Total plugins : 0
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
>
> The interface we're using:
> Name: enp2s0f0
> Index: 6
> Address: 90:E2:BA:--:--:--
> Polling Mode: NAPI/ZC
> Type: Ethernet
> Family: Intel ixgbe 82599
> Max # TX Queues: 1
> # Used RX Queues: 1
> Num RX Slots: 8192
> Num TX Slots: 8192
>
> On this box we're spinning up 73 detect threads and 3 management threads
>
> Thanks,
> Derek
> ________________________________________
> From: Peter Manev <petermanev at gmail.com>
> Sent: Friday, October 23, 2015 3:32 AM
> To: Spransy, Derek
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
>
> On Thu, Oct 22, 2015 at 8:39 PM, Spransy, Derek <dsprans at emory.edu> wrote:
> > Hi Peter,
> >
> > It is currently set to 60,000
>
> Hi Derek,
>
> What is the output of -
> modinfo pf_ring && cat /proc/net/pf_ring/info
>
> How many threads do you use (per interfaces?)?
>
>
> Thank you
>
> > ________________________________________
> > From: Peter Manev <petermanev at gmail.com>
> > Sent: Thursday, October 22, 2015 2:33 PM
> > To: Spransy, Derek
> > Cc: Cooper F. Nelson; oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
> >
> >> On 22 okt. 2015, at 20:28, Spransy, Derek <dsprans at emory.edu> wrote:
> >>
> >> Hi Cooper,
> >>
> >> Thanks for the suggestions. We're using pfring autofp mode (using ZC drivers) rather than AF_Packet, though I could try that configuration. RSS is, I believe, disabled in ZC mode. I haven't seen a lot of documentation out there about using PF_RING ZC drivers, so perhaps I've missed something in that regard.
> >>
> >> Also we are using Suricata optimized rules:
> >> ** GET http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz ==> 200 OK (1s)
> >>
> >> I disabled NIC offloading features for that interface as well, but it doesn't appear to have made any significant difference.
> >>
> >
> > What is your max pending packets value (in suricata.yaml)?
> >
> >
> >> Thanks,
> >> Derek
> >> ________________________________________
> >> From: Cooper F. Nelson <cnelson at ucsd.edu>
> >> Sent: Thursday, October 22, 2015 1:52 PM
> >> To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] Suricata generating fewer alerts than Snort
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> I experienced the exact opposite effect migrating from snort to
> >> suricata, so I think something is wrong with your deployment.
> >>
> >> First off, have you tried the latest version of suricata using 'workers'
> >> runmode with zero-copy/AF_PACKET mode? Details described here:
> >>
> >>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
> >>
> >> Make sure all NIC offloading features are disabled as per this article
> >>
> >>> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
> >>
> >> As a sanity check, are you sure you are using a ruleset tuned for
> >> suricata, like this?
> >>
> >>> https://rules.emergingthreats.net/open/suricata/
> >>
> >> - -Coop
> >>
> >>
> >>> On 10/22/2015 10:43 AM, Spransy, Derek wrote:
> >>> I would have expected just the opposite as our Snort box is more
> >>> underpowered and has a higher packet drop rate. Can anyone point me in a
> >>> direction to troubleshoot? Generally our packet drops seems to be
> >>> relatively low, (~2%) on the Suricata system. However, I don't know how
> >>> accurate these are as sometimes Suricata reports packet drop percentages
> >>> higher than 100%, which in itself seems really rather odd.
> >>>
> >>> Thanks,
> >>> Derek
> >>>
> >>> ------------------------------------------------------------------------
> >>
> >>
> >> - --
> >> Cooper Nelson
> >> Network Security Analyst
> >> UCSD ACT Security Team
> >> cnelson at ucsd.edu x41042
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v2.0.17 (MingW32)
> >>
> >> iQEcBAEBAgAGBQJWKSJwAAoJEKIFRYQsa8FWvfEIAJzq7yqdbqJH7CoBh/e7VE97
> >> MOxi8KMvw2BgmBW9+X188+U6znjgWGa2ebk4Fh2XrUAD6Qau7KW5omCJyGIj2Eof
> >> Bq5kpg6+thRKx++hMuXESU/k/RDLJRK7nLtUcgOcvizYRG4RS+ZajgMhg0NsK5nZ
> >> u2xS02AhHTxhWe22ejdFh7Uu3dfXQApCQbubCJS/AbVNOSln51OpxSq5jpLBDFu5
> >> t4Xxx2INFP+TLa1twPzk7WtSvWlnYPGgHLwsyr4nURuusydd47xUP++mRFzdC6Is
> >> 5KAb3i+XuY1TqZ9gI3+QoEdUOK319z8dzbNnYGpO8A/NmI0YDe8rTqdLSFeI6l8=
> >> =IRyb
> >> -----END PGP SIGNATURE-----
> >>
> >> ________________________________
> >>
> >> This e-mail message (including any attachments) is for the sole use of
> >> the intended recipient(s) and may contain confidential and privileged
> >> information. If the reader of this message is not the intended
> >> recipient, you are hereby notified that any dissemination, distribution
> >> or copying of this message (including any attachments) is strictly
> >> prohibited.
> >>
> >> If you have received this message in error, please contact
> >> the sender by reply e-mail message and destroy all copies of the
> >> original message (including attachments).
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151026/45dc1e2c/attachment-0002.html>
More information about the Oisf-users
mailing list