[Oisf-users] Suricata+Netmap IPS stops passing packets after approx 10 seconds
Brandon Reeves
brandonreeves at outlook.com
Wed Sep 7 00:38:34 UTC 2016
Just a simple start script within FreeBSD. Basically suricata --netmap -vvv
There are no errors reported in the suricata.log or within messages. I am thinking it may be related to a specific netmap+suricata configuration or compilation issue because we have built a secondary suricata system with the same config using afpacket on linux, pfring on linux, and ipfw on FreeBSD. The real issue is that we need the performance of netmap to get as close to wire speed as possible. We have also tested some "precompiled" suricata installs on things like OPNSense and PFSense since they are using suricata+netmap and they don't seem to have the issue.
Otherwise, if anyone could recommend the best way to get near wire speed on Linux, we would be glad to go that route. We are just unfamiliar with Pfring and all the required configuration options to tune it properly.
Thanks
Brandon
________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Andreas Herz <andi at geekosphere.org>
Sent: Tuesday, September 6, 2016 3:29 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata+Netmap IPS stops passing packets after approx 10 seconds
On 03/09/16 at 18:30, Brandon Reeves wrote:
> We have got suricata+netmap working in IPS mode. Once we bring it up,
> we can ping through the device as if it wasnt there. However, within a
> few seconds of receiving traffic, all packets stop passing across
> suricata. This means that all traffic outbound + inbound also stop.
> All we have to do is restart suricata and the issue repeats. We have
> tried multiple versions of FreeBSD as well as suricata and the same
> issue appears. We have done little to tune the default suricata.yaml
> since we have been combating this issue other than configuring the
> interfaces. We have also used the default suricata.yaml from 3.0 and
> 3.1.1.
>
> [...]
>
> Please advise on how I can troubleshoot this issue
How do you run suricata?
Do you see any related messages from the system within the logs?
We're getting more and more FreeBSD users, so I hope someone familiar
with FreeBSD and suricata might step in.
--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160907/c3c0da27/attachment-0002.html>
More information about the Oisf-users
mailing list