[Oisf-users] Suricata goes wild with SURICATA STREAM alerts
Marius
wishinet at gmail.com
Tue Jul 12 19:46:53 UTC 2016
Hi,
I have capture problems with a Suricata 3.0.1. I'd appreciate some ideas on
this.
I suspect it has to do with my Suricata configuration. The traffic is sent
to the sensor via an f5 clone pool.
( https://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html )
.
* The traffic is copied into an IDS VLan and received on an interface. The
MAC address is rewritten.
A packet looks like this:
https://drive.google.com/file/d/0BwyhoK4VyctFWWN6LVlTdjdIT00/view
* With the clone pools we can get SSL offloaded traffic from the LBs. Suri
doesn't do SSL decryption.
On the sensor my interface config is:
enp17s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000
inet 192.168.99.94 netmask 255.255.255.0 broadcast 192.168.99.255
* The interface is not set in promiscuous mode, because it receives the
traffic directly via the MAC.
The rules, which indicate an error, are mostly stream engine related:
SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
(null)]
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM ESTABLISHED invalid ack
SURICATA STREAM Packet with invalid ack
SURICATA STREAM FIN invalid ack
* these alerts go wild
* I also get valid alerts for TOR IPs and some XSS. However that is a
fraction.
* the stats.log:
------------------------------------------------------------------------------------
Date: 7/12/2016 -- 19:22:01 (uptime: 0d, 00h 26m 35s)
------------------------------------------------------------------------------------
Counter | TM Name |
Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total |
49950854
capture.kernel_drops | Total |
38149996
decoder.pkts | Total |
11664420
decoder.bytes | Total |
5930632578
decoder.ipv4 | Total |
11664416
decoder.ethernet | Total |
11664420
decoder.tcp | Total |
11664416
decoder.avg_pkt_size | Total | 508
decoder.max_pkt_size | Total |
1566
tcp.sessions | Total |
568197
tcp.pseudo | Total |
29014
tcp.syn | Total |
593612
tcp.synack | Total |
522806
tcp.rst | Total |
9906
tcp.segment_memcap_drop | Total |
36066
tcp.stream_depth_reached | Total | 24
tcp.reassembly_gap | Total |
159155
detect.alert | Total |
2041259
flow_mgr.closed_pruned | Total |
104504
flow_mgr.new_pruned | Total |
773441
flow.spare | Total |
20560
flow.tcp_reuse | Total |
2032
tcp.memuse | Total |
52727808
tcp.reassembly_memuse | Total |
2147483622
http.memuse | Total |
222223958
flow.memuse | Total |
96075664
* My suspicion is that my config has a problem, because suri does not
utilize memory or CPU a lot. The machine is almost idle.
* Peak is 20 MB per second - nothing extra ordinary here
I use af-packet in Suri:
af-packet:
- interface: enp17s0f1
threads: 1
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
# 12 GB, machine has 32 GB
buffer-size: 12884901888
disable-promisc: yes
use-mmap: yes
checksum-checks: auto
defrag:
max-frags: 65535
prealloc: yes
timeout: 120
# had no effect
vlan:
use-for-tracking: false
stream:
memcap: 4096mb
# had no effect
checksum-validation: yes # reject wrong csums
inline: no # no inline mode
reassembly:
memcap: 2048mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
# I am unsure about these
# midstream: true
# async-oneside: true
# also no effect:
max-synack-queued: 10
* suri produces PCAPs, and logs. The engine is stable. But somehow the cap
(and match) processes don't work.
I'm not sure where to look next.
Best,
Marius
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160712/49358381/attachment.html>
More information about the Oisf-users
mailing list