[Oisf-users] Big FTP downloads
Victor Julien
lists at inliniac.net
Tue Feb 9 15:56:30 UTC 2016
On 09-02-16 15:21, Erich Lerch wrote:
> We note a small packet loss from time to time, even if the system
> usage is not extremely high.
> I have some indications that this might happen during FTP downloads of
> big files (e.g. iso image).
> An explanation might be that Suri cannot correlate this data stream
> with a passive FTP connection and thus tries to check far too many
> rules.
> Does this sound reasonable as an explanation, and is there a way to
> remediate? Or is Passive FTP handling simply not (yet) powerful enough
> in Suri?
If you're not yet on 3.0, it may be good to test that. A number of
protocol detection and stream inefficiencies have been resolved that
we've seen with streams like that.
We have no FTP logic for such streams yet, so it's going to look like a
random stream to Suricata, with only the per packet and per stream
content inspection happening. Which rules are applies depends on config
and the ports the stream use.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list