[Oisf-users] HTTP and DNS alert and captures not working

Victor Julien lists at inliniac.net
Fri Jul 8 16:18:43 UTC 2016 

On 08-07-16 18:15, Brian Hennigar wrote:
> Is it still recommended to stay on kernel 4.2 or below when using
> af_packet and Suricata 3.1?

Yes. Keep an eye on this ticket
https://redmine.openinfosecfoundation.org/issues/1777, we'll close it
when a stable kernel has been released that contains the kernel side fix.

Cheers,
Victor



> 
> Thanks,
> Brian
> 
> On Tue, Jun 28, 2016 at 7:21 PM, Cooper F. Nelson <cnelson at ucsd.edu
> <mailto:cnelson at ucsd.edu>> wrote:
> 
>     Ok that's it, reverting to < 4.2 seems to have fixed the issue.
> 
>     However, it uncovered a new one as the performance metrics we have been
>     reporting for the mpm/hyperscan 3.1 series release were off, as the end
>     result of the bug was that IP flows were effectively being randomly
>     sampled.
> 
>     So we are back to using some of the techniques I've discussed previously
>     to mitigate an over-subscribed sensor.  However, the 3.1 release is
>     still a big win for us as we are able to evaluate both more signatures
>     and IP traffic on the same sensor.
> 
>     -Coop
> 
>     On 6/26/2016 2:41 PM, Peter Manev wrote:
>     > @Cooper - If i am not wrong you are on kernel > 4.2 and using
>     > af-packet. There is a bug in the kernel with regards to symmetric flow
>     > hashing for afpacket/suricata. As a test it would be much appreciated
>     > if you can please try kernel 4.2 or lower and see if it makes any
>     > difference for you?
> 
> 
>     --
>     Cooper Nelson
>     Network Security Analyst
>     UCSD ITS Security Team
>     cnelson at ucsd.edu <mailto:cnelson at ucsd.edu> x41042
> 
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Suricata User Conference November 9-11 in Washington, DC:
>     http://oisfevents.net
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list