[Oisf-users] Massive kernel drops with HTTP traffic
Konstantin Klinger
konstantin.klinger at dcso.de
Fri Aug 17 13:22:36 UTC 2018
On 17.08.2018 14:42, Peter Manev wrote:
>
>> On 16 Aug 2018, at 08:00, Konstantin Klinger <konstantin.klinger at dcso.de> wrote:
>>
>>
>>
>>> On 16.08.2018 15:02, Victor Julien wrote:
>>>> On 16-08-18 14:49, Konstantin Klinger wrote:
>>>> Hello OISF users,
>>>>
>>>> we have some issues with massive capture.kernel_drops (~30-50%) on some
>>>> of our high traffic (>5Gbit/s per interface) 4.1.0dev Suricata instances
>>>> (af_packet). What we found curious about the issue is that there is no
>>>> associated heavy CPU load.
>>>>
>>>> We were able to determine that the problem is related by large volumes
>>>> of HTTP traffic on the interface (such as, for example, huge backups,
>>>> huge file downloads, etc.). Without HTTP traffic (for example after
>>>> filtering port 80/8080 via bpf before inspection) the packets drops
>>>> decreased below 5%. This is also the case after deactivating the HTTP
>>>> parser in the suricata.yaml config.
>>>>
>>>> So our question is if anyone has or had the same issue? Any experience
>>>> to share?
>>>>
>>>> We will do further debugging on this issue and we will try to make the
>>>> problem reproducible by tcpreplaying a captured pcap, but we are not at
>>>> this point yet.
>>>
>>> Which git rev? I'm just analyzing a recently added perf regression.
>>> Added in 7e004f52c60c5e4d7cd8f5ed09491291d18f42d2
>>
>> We have the same problems with 4.0.* stable.
>>
>
> When you enable http/stream events during a run do they show something abnormal ?
>
Thank you for your answer. I made a ~5min run with http-events and
stream-events ruleset active and here is the outcome:
982397 "SURICATA STREAM Packet with invalid ack"
966940 "SURICATA STREAM ESTABLISHED invalid ack"
965091 "SURICATA STREAM 3way handshake wrong seq wrong ack"
887444 "SURICATA STREAM ESTABLISHED packet out of window"
74242 "SURICATA STREAM bad window update"
13223 "SURICATA STREAM SHUTDOWN RST invalid ack"
5030 "SURICATA HTTP unable to match response to request"
2531 "SURICATA STREAM 3way handshake right seq wrong ack evasion"
2148 "SURICATA STREAM FIN invalid ack"
1391 "SURICATA STREAM FIN out of window"
227 "SURICATA STREAM CLOSEWAIT ACK out of window"
70 "SURICATA STREAM TIMEWAIT ACK with wrong seq"
63 "SURICATA STREAM CLOSEWAIT invalid ACK"
37 "SURICATA STREAM reassembly overlap with different data"
22 "SURICATA STREAM TIMEWAIT invalid ack"
15 "SURICATA STREAM CLOSEWAIT FIN out of window"
10 "SURICATA STREAM FIN1 FIN with wrong seq"
8 "SURICATA STREAM 3way handshake SYNACK with wrong ack"
5 "SURICATA STREAM ESTABLISHED SYNACK resend with different ACK"
3 "SURICATA STREAM ESTABLISHED SYN resend with different seq"
3 "SURICATA HTTP missing Host header"
2 "SURICATA STREAM Packet with invalid timestamp"
2 "SURICATA STREAM excessive retransmissions"
1 "SURICATA STREAM Last ACK with wrong seq"
1 "SURICATA STREAM FIN1 invalid ack"
1 "SURICATA STREAM ESTABLISHED SYN resend"
1 "SURICATA STREAM 3way handshake SYNACK in wrong direction"
1 "SURICATA HTTP METHOD terminated by non-compliant character"
1 "SURICATA HTTP Host part of URI is invalid"
1 "SURICATA HTTP Host header invalid"
As a side note: We don't have any influence on the incoming traffic,
which means that we can't make any changes on the span ports, tabs, etc.
But we would like to reduce the packet drops on Suricata side, no matter
how the incoming traffic looks. It would be ok if Suricata only inspects
the beginning of a large http session without dropping so much packets.
Additionally to that you can find our current configuration dump in the
attached txt-file.
--
Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)
+49 160 95476260
konstantin.klinger at dcso.de
dcso.de
blog.dcso.de
PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
22 • D-10829 Berlin
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382
-------------- next part --------------
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [redacted]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.DOMAIN_CONTROLLER = [redacted]
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8088,8118,8123,8180,8181,8243,8280,8530,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
vars.port-groups.MODBUS_PORTS = 502
vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]
vars.port-groups.FTP_PORTS = 21
default-rule-path = /etc/suricata/rules
rule-files = (null)
rule-files.0 = http-events.rules
rule-files.1 = stream-events.rules
classification-file = /etc/suricata/classification.config
reference-config-file = /etc/suricata/reference.config
threshold-file = /etc/suricata/threshold.config
default-log-dir = /var/log/suricata
stats = (null)
stats.enabled = yes
stats.interval = 20
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = eve-log
outputs.1.eve-log = (null)
outputs.1.eve-log.enabled = yes
outputs.1.eve-log.filetype = unix_stream
outputs.1.eve-log.filename = /tmp/stats.sock
outputs.1.eve-log.types = (null)
outputs.1.eve-log.types.0 = stats
outputs.1.eve-log.types.0.stats = (null)
outputs.1.eve-log.types.0.stats.totals = yes
outputs.1.eve-log.types.0.stats.threads = no
outputs.1.eve-log.types.0.stats.deltas = yes
outputs.2 = eve-log
outputs.2.eve-log = (null)
outputs.2.eve-log.enabled = yes
outputs.2.eve-log.filetype = unix_stream
outputs.2.eve-log.filename = /tmp/files.sock
outputs.2.eve-log.types = (null)
outputs.2.eve-log.types.0 = files
outputs.2.eve-log.types.0.files = (null)
outputs.2.eve-log.types.0.files.force-magic = yes
outputs.2.eve-log.types.0.files.force-hash = (null)
outputs.2.eve-log.types.0.files.force-hash.0 = md5
outputs.2.eve-log.types.0.files.force-hash.1 = sha1
outputs.2.eve-log.types.0.files.force-hash.2 = sha256
outputs.3 = eve-log
outputs.3.eve-log = (null)
outputs.3.eve-log.enabled = no
outputs.3.eve-log.filetype = regular
outputs.3.eve-log.filename = /tmp/alerts.json
outputs.3.eve-log.pcap-file = false
outputs.3.eve-log.xff = (null)
outputs.3.eve-log.xff.enabled = yes
outputs.3.eve-log.xff.mode = extra-data
outputs.3.eve-log.xff.deployment = reverse
outputs.3.eve-log.xff.header = X-Forwarded-For
outputs.3.eve-log.types = (null)
outputs.3.eve-log.types.0 = alert
outputs.3.eve-log.types.0.alert = (null)
outputs.3.eve-log.types.0.alert.payload = yes
outputs.3.eve-log.types.0.alert.payload-printable = no
outputs.3.eve-log.types.0.alert.packet = yes
outputs.3.eve-log.types.0.alert.http-body = yes
outputs.3.eve-log.types.0.alert.http-body-printable = no
outputs.3.eve-log.types.0.alert.metadata = yes
outputs.3.eve-log.types.0.alert.tagged-packets = yes
outputs.4 = eve-log
outputs.4.eve-log = (null)
outputs.4.eve-log.enabled = yes
outputs.4.eve-log.filetype = redis
outputs.4.eve-log.filename = /tmp/suri.sock
outputs.4.eve-log.redis = (null)
outputs.4.eve-log.redis.server = 127.0.0.1
outputs.4.eve-log.redis.port = 6379
outputs.4.eve-log.redis.async = true
outputs.4.eve-log.redis.mode = list
outputs.4.eve-log.redis.key = suricata
outputs.4.eve-log.redis.pipelining = (null)
outputs.4.eve-log.redis.pipelining.enabled = yes
outputs.4.eve-log.redis.pipelining.batch-size = 10
outputs.4.eve-log.pcap-file = false
outputs.4.eve-log.xff = (null)
outputs.4.eve-log.xff.enabled = yes
outputs.4.eve-log.xff.mode = extra-data
outputs.4.eve-log.xff.deployment = reverse
outputs.4.eve-log.xff.header = X-Forwarded-For
outputs.4.eve-log.types = (null)
outputs.4.eve-log.types.0 = alert
outputs.4.eve-log.types.0.alert = (null)
outputs.4.eve-log.types.0.alert.payload = yes
outputs.4.eve-log.types.0.alert.payload-printable = no
outputs.4.eve-log.types.0.alert.packet = yes
outputs.4.eve-log.types.0.alert.http-body = yes
outputs.4.eve-log.types.0.alert.http-body-printable = no
outputs.4.eve-log.types.0.alert.metadata = yes
outputs.4.eve-log.types.0.alert.tagged-packets = yes
outputs.4.eve-log.types.1 = http
outputs.4.eve-log.types.1.http = (null)
outputs.4.eve-log.types.1.http.extended = yes
outputs.4.eve-log.types.2 = dns
outputs.4.eve-log.types.2.dns = (null)
outputs.4.eve-log.types.2.dns.version = 2
outputs.4.eve-log.types.2.dns.enabled = yes
outputs.4.eve-log.types.2.dns.requests = no
outputs.4.eve-log.types.2.dns.responses = yes
outputs.4.eve-log.types.3 = tls
outputs.4.eve-log.types.3.tls = (null)
outputs.4.eve-log.types.3.tls.extended = yes
outputs.4.eve-log.types.4 = smtp
outputs.4.eve-log.types.4.smtp = (null)
outputs.4.eve-log.types.4.smtp.extended = yes
outputs.4.eve-log.types.5 = dnp3
outputs.4.eve-log.types.6 = nfs
outputs.4.eve-log.types.7 = smb
outputs.4.eve-log.types.8 = tftp
outputs.4.eve-log.types.9 = ikev2
outputs.4.eve-log.types.10 = krb5
outputs.4.eve-log.types.11 = dhcp
outputs.4.eve-log.types.11.dhcp = (null)
outputs.4.eve-log.types.11.dhcp.enabled = yes
outputs.4.eve-log.types.11.dhcp.extended = no
outputs.4.eve-log.types.12 = ssh
outputs.4.eve-log.types.13 = stats
outputs.4.eve-log.types.13.stats = (null)
outputs.4.eve-log.types.13.stats.totals = yes
outputs.4.eve-log.types.13.stats.threads = no
outputs.4.eve-log.types.13.stats.deltas = yes
outputs.4.eve-log.types.14 = flow
outputs.5 = unified2-alert
outputs.5.unified2-alert = (null)
outputs.5.unified2-alert.enabled = no
outputs.5.unified2-alert.filename = unified2.alert
outputs.5.unified2-alert.xff = (null)
outputs.5.unified2-alert.xff.enabled = no
outputs.5.unified2-alert.xff.mode = extra-data
outputs.5.unified2-alert.xff.deployment = reverse
outputs.5.unified2-alert.xff.header = X-Forwarded-For
outputs.6 = http-log
outputs.6.http-log = (null)
outputs.6.http-log.enabled = no
outputs.6.http-log.filename = http.log
outputs.6.http-log.append = yes
outputs.7 = tls-log
outputs.7.tls-log = (null)
outputs.7.tls-log.enabled = no
outputs.7.tls-log.filename = tls.log
outputs.7.tls-log.append = yes
outputs.8 = tls-store
outputs.8.tls-store = (null)
outputs.8.tls-store.enabled = no
outputs.9 = dns-log
outputs.9.dns-log = (null)
outputs.9.dns-log.enabled = no
outputs.9.dns-log.filename = dns.log
outputs.9.dns-log.append = yes
outputs.10 = pcap-log
outputs.10.pcap-log = (null)
outputs.10.pcap-log.enabled = no
outputs.10.pcap-log.filename = log.pcap
outputs.10.pcap-log.limit = 1000mb
outputs.10.pcap-log.max-files = 2000
outputs.10.pcap-log.compression = none
outputs.10.pcap-log.mode = normal
outputs.10.pcap-log.use-stream-depth = no
outputs.10.pcap-log.honor-pass-rules = no
outputs.11 = alert-debug
outputs.11.alert-debug = (null)
outputs.11.alert-debug.enabled = no
outputs.11.alert-debug.filename = alert-debug.log
outputs.11.alert-debug.append = yes
outputs.12 = alert-prelude
outputs.12.alert-prelude = (null)
outputs.12.alert-prelude.enabled = no
outputs.12.alert-prelude.profile = suricata
outputs.12.alert-prelude.log-packet-content = no
outputs.12.alert-prelude.log-packet-header = yes
outputs.13 = stats
outputs.13.stats = (null)
outputs.13.stats.enabled = yes
outputs.13.stats.filename = stats.log
outputs.13.stats.append = yes
outputs.13.stats.totals = yes
outputs.13.stats.threads = no
outputs.14 = syslog
outputs.14.syslog = (null)
outputs.14.syslog.enabled = no
outputs.14.syslog.facility = local5
outputs.15 = drop
outputs.15.drop = (null)
outputs.15.drop.enabled = no
outputs.15.drop.filename = drop.log
outputs.15.drop.append = yes
outputs.16 = file-store
outputs.16.file-store = (null)
outputs.16.file-store.version = 2
outputs.16.file-store.enabled = no
outputs.16.file-store.xff = (null)
outputs.16.file-store.xff.enabled = yes
outputs.16.file-store.xff.mode = extra-data
outputs.16.file-store.xff.deployment = reverse
outputs.16.file-store.xff.header = X-Forwarded-For
outputs.17 = file-store
outputs.17.file-store = (null)
outputs.17.file-store.enabled = yes
outputs.17.file-store.log-dir = files
outputs.17.file-store.force-magic = yes
outputs.17.file-store.force-hash = (null)
outputs.17.file-store.force-hash.0 = md5
outputs.17.file-store.force-hash.1 = sha1
outputs.17.file-store.force-hash.2 = sha256
outputs.17.file-store.force-filestore = no
outputs.17.file-store.stream-depth = 0
outputs.17.file-store.waldo = file.waldo
outputs.17.file-store.include-pid = no
outputs.18 = file-log
outputs.18.file-log = (null)
outputs.18.file-log.enabled = no
outputs.18.file-log.filename = files-json.log
outputs.18.file-log.append = yes
outputs.18.file-log.force-magic = no
outputs.19 = tcp-data
outputs.19.tcp-data = (null)
outputs.19.tcp-data.enabled = no
outputs.19.tcp-data.type = file
outputs.19.tcp-data.filename = tcp-data.log
outputs.20 = http-body-data
outputs.20.http-body-data = (null)
outputs.20.http-body-data.enabled = no
outputs.20.http-body-data.type = file
outputs.20.http-body-data.filename = http-data.log
outputs.21 = lua
outputs.21.lua = (null)
outputs.21.lua.enabled = no
outputs.21.lua.scripts =
logging = (null)
logging.default-log-level = Info
logging.default-output-filter =
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = yes
logging.outputs.1.file.level = Info
logging.outputs.1.file.filename = /var/log/suricata/suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> --
app-layer = (null)
app-layer.protocols = (null)
app-layer.protocols.krb5 = (null)
app-layer.protocols.krb5.enabled = yes
app-layer.protocols.ikev2 = (null)
app-layer.protocols.ikev2.enabled = yes
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443
app-layer.protocols.tls.ja3-fingerprints = no
app-layer.protocols.tls.encrypt-handling = default
app-layer.protocols.dcerpc = (null)
app-layer.protocols.dcerpc.enabled = yes
app-layer.protocols.ftp = (null)
app-layer.protocols.ftp.enabled = yes
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
app-layer.protocols.smtp = (null)
app-layer.protocols.smtp.enabled = yes
app-layer.protocols.smtp.mime = (null)
app-layer.protocols.smtp.mime.decode-mime = yes
app-layer.protocols.smtp.mime.decode-base64 = yes
app-layer.protocols.smtp.mime.decode-quoted-printable = yes
app-layer.protocols.smtp.mime.header-value-depth = 2000
app-layer.protocols.smtp.mime.extract-urls = yes
app-layer.protocols.smtp.mime.body-md5 = no
app-layer.protocols.smtp.inspected-tracker = (null)
app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768
app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
app-layer.protocols.imap = (null)
app-layer.protocols.imap.enabled = detection-only
app-layer.protocols.msn = (null)
app-layer.protocols.msn.enabled = detection-only
app-layer.protocols.smb = (null)
app-layer.protocols.smb.enabled = yes
app-layer.protocols.smb.detection-ports = (null)
app-layer.protocols.smb.detection-ports.dp = 139, 445
app-layer.protocols.nfs = (null)
app-layer.protocols.nfs.enabled = yes
app-layer.protocols.tftp = (null)
app-layer.protocols.tftp.enabled = yes
app-layer.protocols.dns = (null)
app-layer.protocols.dns.global-memcap = 6GB
app-layer.protocols.dns.state-memcap = 2mb
app-layer.protocols.dns.tcp = (null)
app-layer.protocols.dns.tcp.enabled = yes
app-layer.protocols.dns.tcp.detection-ports = (null)
app-layer.protocols.dns.tcp.detection-ports.dp = 53
app-layer.protocols.dns.udp = (null)
app-layer.protocols.dns.udp.enabled = yes
app-layer.protocols.dns.udp.detection-ports = (null)
app-layer.protocols.dns.udp.detection-ports.dp = 53
app-layer.protocols.http = (null)
app-layer.protocols.http.enabled = yes
app-layer.protocols.http.memcap = 2GB
app-layer.protocols.http.libhtp = (null)
app-layer.protocols.http.libhtp.default-config = (null)
app-layer.protocols.http.libhtp.default-config.personality = IDS
app-layer.protocols.http.libhtp.default-config.request-body-limit = 1mb
app-layer.protocols.http.libhtp.default-config.response-body-limit = 1mb
app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 40kb
app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 16kb
app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit = 2
app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
app-layer.protocols.http.libhtp.default-config.swf-decompression = (null)
app-layer.protocols.http.libhtp.default-config.swf-decompression.enabled = yes
app-layer.protocols.http.libhtp.default-config.swf-decompression.type = both
app-layer.protocols.http.libhtp.default-config.swf-decompression.compress-depth = 0
app-layer.protocols.http.libhtp.default-config.swf-decompression.decompress-depth = 0
app-layer.protocols.http.libhtp.default-config.double-decode-path = no
app-layer.protocols.http.libhtp.default-config.double-decode-query = no
app-layer.protocols.http.libhtp.server-config =
app-layer.protocols.modbus = (null)
app-layer.protocols.modbus.enabled = yes
app-layer.protocols.modbus.detection-ports = (null)
app-layer.protocols.modbus.detection-ports.dp = 502
app-layer.protocols.modbus.stream-depth = 0
app-layer.protocols.dnp3 = (null)
app-layer.protocols.dnp3.enabled = yes
app-layer.protocols.dnp3.detection-ports = (null)
app-layer.protocols.dnp3.detection-ports.dp = 20000
app-layer.protocols.enip = (null)
app-layer.protocols.enip.enabled = yes
app-layer.protocols.enip.detection-ports = (null)
app-layer.protocols.enip.detection-ports.dp = 44818
app-layer.protocols.enip.detection-ports.sp = 44818
app-layer.protocols.ntp = (null)
app-layer.protocols.ntp.enabled = yes
app-layer.protocols.dhcp = (null)
app-layer.protocols.dhcp.enabled = yes
asn1-max-frames = 256
decoder = (null)
decoder.teredo = (null)
decoder.teredo.enabled = true
coredump = (null)
coredump.max-dump = unlimited
host-mode = auto
max-pending-packets = 65000
runmode = workers
default-packet-size = 1518
unix-command = (null)
unix-command.enabled = yes
unix-command.filename = /var/run/suricata-command.socket
legacy = (null)
legacy.uricontent = enabled
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
defrag = (null)
defrag.memcap = 512mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 128mb
flow.hash-size = 65536
flow.prealloc = 10000
flow.emergency-recovery = 30
flow.managers = 2
flow.recyclers = 2
vlan = (null)
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 3
flow-timeouts.default.established = 60
flow-timeouts.default.closed = 0
flow-timeouts.default.bypassed = 100
flow-timeouts.default.emergency-new = 1
flow-timeouts.default.emergency-established = 10
flow-timeouts.default.emergency-closed = 0
flow-timeouts.default.emergency-bypassed = 5
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 6
flow-timeouts.tcp.established = 60
flow-timeouts.tcp.closed = 0
flow-timeouts.tcp.bypassed = 10
flow-timeouts.tcp.emergency-new = 3
flow-timeouts.tcp.emergency-established = 10
flow-timeouts.tcp.emergency-closed = 0
flow-timeouts.tcp.emergency-bypassed = 5
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 3
flow-timeouts.udp.established = 60
flow-timeouts.udp.bypassed = 10
flow-timeouts.udp.emergency-new = 1
flow-timeouts.udp.emergency-established = 10
flow-timeouts.udp.emergency-bypassed = 5
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 3
flow-timeouts.icmp.established = 60
flow-timeouts.icmp.bypassed = 10
flow-timeouts.icmp.emergency-new = 1
flow-timeouts.icmp.emergency-established = 10
flow-timeouts.icmp.emergency-bypassed = 5
stream = (null)
stream.memcap = 16gb
stream.bypass = true
stream.prealloc-sessions = 375000
stream.checksum-validation = no
stream.inline = auto
stream.reassembly = (null)
stream.reassembly.memcap = 12gb
stream.reassembly.segment-prealloc = 100000
stream.reassembly.depth = 1mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 128mb
detect = (null)
detect.profile = high
detect.custom-values = (null)
detect.custom-values.toclient-groups = 3
detect.custom-values.toserver-groups = 25
detect.sgh-mpm-context = auto
detect.inspection-recursion-limit = 3000
detect.prefilter = (null)
detect.prefilter.default = auto
detect.grouping = (null)
detect.grouping.tcp-whitelist = 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
detect.grouping.udp-whitelist = 53, 135, 5060
detect.profiling = (null)
detect.profiling.grouping = (null)
detect.profiling.grouping.dump-to-disk = false
detect.profiling.grouping.include-rules = false
detect.profiling.grouping.include-mpm-stats = false
mpm-algo = hs
spm-algo = hs
threading = (null)
threading.set-cpu-affinity = yes
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 31-32
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 33-34
threading.cpu-affinity.2 = worker-cpu-set
threading.cpu-affinity.2.worker-cpu-set = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu.0 = 0-29
threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
threading.cpu-affinity.2.worker-cpu-set.prio = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 0-29
threading.cpu-affinity.2.worker-cpu-set.prio.default = high
threading.detect-thread-ratio = 1.0
luajit = (null)
luajit.states = 600
capture = (null)
capture.disable-offloading = true
capture.checksum-validation = none
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = enp94s0f0
af-packet.0.threads = 30
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_qm
af-packet.0.defrag = no
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.tpacket-v3 = yes
More information about the Oisf-users
mailing list