[Oisf-users] Drops: From none to gigantic in the blink of an eye
Cloherty, Sean E
scloherty at mitre.org
Thu Mar 24 17:22:48 UTC 2016
Grepping the stats.log file for 'emergency' came up blank.
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Thursday, March 24, 2016 11:52 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Drops: From none to gigantic in the blink of an eye
On 23-03-16 20:33, Cooper F. Nelson wrote:
> The thing about SYN floods is that don't generate that much traffic.
> They are designed to DOS hosts, not networks. And it only takes a few
> mbits of SYN packets from spoofed source addresses/ports to DOS a
> suricata sensor, due to flow hashing/tracking.
>
> If it's a memory leak you should be able to see that by running top
> and monitoring memory usage, which looks ok in your case.
>
> If it's an issue with the flow memory-cap I would think you be seeing
> lots of messages in the suricata log about flow-emergency mode.
Good point. The counters didn't show this, while they should have I think.
Sean, did you get flow 'emergency' mode messages in your log or to stdout?
Cheers,
Victor
>
> -Coop
>
> On 3/23/2016 12:26 PM, Cloherty, Sean E wrote:
>> Thank you Cooper,
>>
>> I will give this a try. Though I would assume that the SYN flood
>> would still show up as increased network traffic on the interface.
>> This is a test machine, but I do have it integrated into our
>> production Zabbix monitor so I can keep an eye on it.
>>
>> Does anyone think it might be a symptom of a memory leak? Would it
>> be worthwhile testing Victor's suggestion before trying the new RC
>> that was released?
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
More information about the Oisf-users
mailing list