[Oisf-users] HTTP and DNS alert and captures not working

Brian Hennigar bhennigar at gmail.com
Fri Jul 8 16:15:43 UTC 2016


Is it still recommended to stay on kernel 4.2 or below when using af_packet
and Suricata 3.1?


Thanks,
Brian

On Tue, Jun 28, 2016 at 7:21 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Ok that's it, reverting to < 4.2 seems to have fixed the issue.
>
> However, it uncovered a new one as the performance metrics we have been
> reporting for the mpm/hyperscan 3.1 series release were off, as the end
> result of the bug was that IP flows were effectively being randomly
> sampled.
>
> So we are back to using some of the techniques I've discussed previously
> to mitigate an over-subscribed sensor.  However, the 3.1 release is
> still a big win for us as we are able to evaluate both more signatures
> and IP traffic on the same sensor.
>
> -Coop
>
> On 6/26/2016 2:41 PM, Peter Manev wrote:
> > @Cooper - If i am not wrong you are on kernel > 4.2 and using
> > af-packet. There is a bug in the kernel with regards to symmetric flow
> > hashing for afpacket/suricata. As a test it would be much appreciated
> > if you can please try kernel 4.2 or lower and see if it makes any
> > difference for you?
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160708/1267e30d/attachment.html>


More information about the Oisf-users mailing list