[Oisf-users] HTTP and DNS alert and captures not working

Cooper F. Nelson cnelson at ucsd.edu
Tue Jun 28 22:21:11 UTC 2016

Ok that's it, reverting to < 4.2 seems to have fixed the issue.

However, it uncovered a new one as the performance metrics we have been
reporting for the mpm/hyperscan 3.1 series release were off, as the end
result of the bug was that IP flows were effectively being randomly sampled.

So we are back to using some of the techniques I've discussed previously
to mitigate an over-subscribed sensor.  However, the 3.1 release is
still a big win for us as we are able to evaluate both more signatures
and IP traffic on the same sensor.


On 6/26/2016 2:41 PM, Peter Manev wrote:
> @Cooper - If i am not wrong you are on kernel > 4.2 and using
> af-packet. There is a bug in the kernel with regards to symmetric flow
> hashing for afpacket/suricata. As a test it would be much appreciated
> if you can please try kernel 4.2 or lower and see if it makes any
> difference for you?

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160628/07fe60ff/attachment-0002.sig>

More information about the Oisf-users mailing list