[Oisf-users] tcp.reassembly_gap
Peter Manev
petermanev at gmail.com
Fri Jan 22 12:12:08 UTC 2016
On Fri, Jan 22, 2016 at 12:20 PM, Luke Whitworth
<l.a.whitworth at gmail.com> wrote:
> Cheers Peter,
>
> I wasn't actually using 3.0RC3, however having read a bit about it
> (specifically the pf_ring improvements) I've just switched both monitors
> over to it anyway. I've also made the config change you suggested and the
> stats are certainly a lot more readable now!
>
> As the reassembly gaps are a fact of life I'll just keep looking into why
> the snort sensors are alerting on items that Suricata isn't. Suricata does
> see stuff that the Snort sensors don't as well, so it's a bit of a good news
> bad news situation at present!
Ok.
Please let us know if you need any help or have some new findings.
>
> Thanks,
>
> Luke
>
> On 22 January 2016 at 10:50, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Fri, Jan 22, 2016 at 10:13 AM, Luke Whitworth
>> <l.a.whitworth at gmail.com> wrote:
>> > Hi all,
>> >
>> > I'm pretty new to Suricata so please forgive me if I'm about to ask
>> > stupid
>> > questions!
>> >
>> > I'm hoping to replace some Snort monitors with Suricata. I've got
>> > Suricata
>> > setup in workers mode using pf_ring:
>> >
>> > pfring:
>> > - interface: eth0;eth1
>> > threads: 24
>> > cluster-id: 39
>> > cluster-type: cluster_flow
>> >
>> > I'm seeing what I'd hope to see, no kernel drops:
>> >
>> > -------------------------------------------------------------------
>> > Date: 1/20/2016 -- 16:08:16 (uptime: 0d, 00h 19m 58s)
>> > -------------------------------------------------------------------
>> > Counter | TM Name | Value
>> > -------------------------------------------------------------------
>> > capture.kernel_packets | RxPFReth0;eth11 | 27716639
>> > capture.kernel_drops | RxPFReth0;eth11 | 0
>> >
>> > However occasionally the Snort monitor (running on the same box) will
>> > still
>> > see events that Suricata doesn't, which at the minute I'm putting down
>> > to:
>> >
>> > tcp.reassembly_gap | RxPFReth0;eth11 | 408
>> > tcp.reassembly_gap | RxPFReth0;eth12 | 160
>> > tcp.reassembly_gap | RxPFReth0;eth13 | 26
>> > tcp.reassembly_gap | RxPFReth0;eth14 | 32
>> > tcp.reassembly_gap | RxPFReth0;eth15 | 35
>> > tcp.reassembly_gap | RxPFReth0;eth16 | 27
>> > tcp.reassembly_gap | RxPFReth0;eth17 | 18
>> > tcp.reassembly_gap | RxPFReth0;eth18 | 31
>> > tcp.reassembly_gap | RxPFReth0;eth19 | 23
>> >
>> > Granted I might be getting the wrong end of the stick here (I'm also
>> > unsure
>> > why I only see 9 in my stats.log when there's 24 threads running:
>> > 20/1/2016
>> > -- 15:48:36 - <Notice> - all 24 packet processing threads, 3 management
>> > threads initialized, engine started.).
>>
>> If not mistaken you are running the latest git master or 3.0RC3 - by
>> default when it comes to stats if there are "0" counters they will not
>> be shown.
>> To change that you can un-comment -
>>
>> #null-values: yes
>> in the stats log section, please see reference link below:
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L31
>>
>> >
>> > Other (hopefully) relevant parts of Suricata.yml:
>> >
>> > flow:
>> > # memcap: 128mb
>> > memcap: 8gb
>> > # hash-size: 65536
>> > hash-size: 131072
>> > # prealloc: 10000
>> > prealloc: 50000
>> > emergency-recovery: 30
>> >
>> > stream:
>> > memcap: 12gb
>> > prealloc-sessions: 2500000 # Added by LW
>> > # checksum-validation: yes # reject wrong csums
>> > checksum-validation: no # reject wrong csums
>> > inline: auto # auto will use inline mode in IPS mode,
>> > yes
>> > or no set it statically
>> > reassembly:
>> > #memcap: 128mb
>> > memcap: 24gb
>> > depth: 6mb # reassemble 1mb into a stream
>> > toserver-chunk-size: 2560
>> > toclient-chunk-size: 2560
>> > randomize-chunk-size: yes
>> >
>> > The box has 32GB of RAM and a couple of Intel® Xeon® Processor X5690
>> > CPUs
>> > (Hex core, dual thread, hence the 24 threads for pf_ring).
>> >
>> > Am I looking along the right lines? Am I expecting the impossible for
>> > tcp.reassembly_gap to be 0?
>>
>>
>> Unfortunately reassembly gaps do exist and most of the time they have
>> nothing to do with Suricata but rather other actors are responsible
>> like unseen retransmission's , drops at the mirror port etc..
>>
>> >
>> > Cheers,
>> >
>> > Luke
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 9-11 in Washington, DC:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list