[Oisf-users] Massive kernel drops with HTTP traffic

Konstantin Klinger konstantin.klinger at dcso.de
Fri Aug 17 13:24:31 UTC 2018

On 17.08.2018 15:21, Michael Stone wrote:
> On Thu, Aug 16, 2018 at 04:00:08PM +0200, you wrote:
>>> On 16-08-18 14:49, Konstantin Klinger wrote:
>>>> we have some issues with massive capture.kernel_drops (~30-50%) on some
>>>> of our high traffic (>5Gbit/s per interface) 4.1.0dev Suricata
>>>> instances
>>>> (af_packet). What we found curious about the issue is that there is no
>>>> associated heavy CPU load.
> [...]
>> We have the same problems with 4.0.* stable.
> Do you have filemagic enabled?

Yes. We currently use filestore v1. And we use the filemagic value in
our rules for filestoring.

Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)

+49 160 95476260
konstantin.klinger at dcso.de


PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
22 • D-10829 Berlin
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382

More information about the Oisf-users mailing list