[Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
박경호
pgh5247 at naver.com
Mon Feb 6 10:41:21 UTC 2017
-----Original Message-----
From: "Peter Manev"<petermanev at gmail.com>
To: "박경호"<pgh5247 at naver.com>;
Cc: "Andreas Herz"<andi at geekosphere.org>; "oisf-users at lists.openinfosecfoundation.org"<oisf-users at lists.openinfosecfoundation.org>;
Sent: 2017-02-04 (토) 00:32:06
Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
On Wed, Feb 1, 2017 at 4:13 AM, 박경호 <pgh5247 at naver.com> wrote:
>
>
>
> -----Original Message-----
> From: "Peter Manev"<petermanev at gmail.com>
> To: "박경호"<pgh5247 at naver.com>;
> Cc: "Andreas Herz"<andi at geekosphere.org>; "oisf-users at lists.openinfosecfoundation.org"<oisf-users at lists.openinfosecfoundation.org>;
> Sent: 2017-01-31 (화) 18:55:58
> Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
>
>
> On Tue, Jan 31, 2017 at 10:20 AM, 박경호 <pgh5247 at naver.com> wrote:
> >
> > Thank you for your efforts.
> >
> > i was also able to have consistent number of logs/alerts through all the pcap runs (with --runmode=single) with the provided pcap and other pcap files.
> >
> > When i ran the suricata the multiple pcap files with 'autofp runmode', the resulsts were different through all the pcap runs(reassemble memcap was set '2gb')
>
> They should not differ for autofp as well (with the exception of some
> threshold rules) - did you try adjusting the segment's prealloc size
> if you have segment memcap hits in the stats.log?(dont forget to
> reorder the resulting pcap as well)
>
> ==> How can i adjust segment's prealloc size? and how can i know if it is or not to segment memcap hits in the stats.log?
>
With the adjustment that you have previously shown/ attached i think
you should be good
- size: 1460
==> yes, I attached the prealloc 1024 about size 1460 in segment part.
A hint for not having the right segment size or not enough of it can
be from - tcp.segment_memcap_drop in stats .log
==> It's no message about tcp.segment_memcpa_drop in stat.log
and i couldn't find the segment warning in suricata.log file.
I couldn't have same alert messages whenever i ran the suricata with autofp runmode.
(i uploaded the small pcap file(about 2MB) to use for test in google drive : https://drive.google.com/open?id=0B4Mdb8bpuRlnemk5cVBOcDFKblk )
And, i set the stream configuration info. like following:
runmode : single
flow:
memcap: 1gb
hash-size: 65536
prealloc: 1000000
stream:
memcap : 512mb
checksum-validation: yes
inline: no
reassembly:
memcap: 1gb
depth: 2mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
raw: yes
chunk-prealloc: 1000
segments:
-size: 4
prealloc: 256
-size: 16
prealloc: 512
-size: 40
prealloc: 1024
-size: 112
prealloc: 512
-size: 248
prealloc: 512
-size: 512
prealloc: 512
-size: 768
prealloc: 1024
-size: 1448
prealloc: 1024
-size: 1460
prealloc: 1024
-size: 65535
prealloc: 128
#zero-copy-size: 128
> There was a feature pushed recently to git master that is aiming at
> automating this a bit (
> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L1223
> ).
>
> ==> i changed the reassembly memcap and segments in suricata.yaml like following:
>
>
> Thanks
>
>
>
> --
> Regards,
> Peter Manev
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170206/ff0e4916/attachment-0002.html>
More information about the Oisf-users
mailing list