[Oisf-users] Really desperated: Suricata drops allmost packages

C. L. Martinez carlopmart at gmail.com
Fri Mar 23 08:42:43 UTC 2018


Sorry for this late response.

Here it is:

------------------------------------------------------------------------------------
Date: 3/23/2018 -- 08:40:07 (uptime: 0d, 01h 13m 47s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   |
Value
------------------------------------------------------------------------------------
capture.kernel_packets                     | Total                     |
437700
capture.kernel_drops                       | Total                     |
74114
decoder.pkts                               | Total                     |
363587
decoder.bytes                              | Total                     |
29816414
decoder.ipv4                               | Total                     |
360380
decoder.ipv6                               | Total                     | 6
decoder.ethernet                           | Total                     |
363587
decoder.tcp                                | Total                     |
349015
decoder.udp                                | Total                     |
11122
decoder.icmpv4                             | Total                     | 22
decoder.teredo                             | Total                     | 6
decoder.avg_pkt_size                       | Total                     | 82
decoder.max_pkt_size                       | Total                     |
1514
flow.tcp                                   | Total                     | 186
flow.udp                                   | Total                     |
2687
defrag.ipv4.fragments                      | Total                     | 221
defrag.ipv4.reassembled                    | Total                     | 96
tcp.sessions                               | Total                     | 176
tcp.syn                                    | Total                     | 182
tcp.synack                                 | Total                     | 168
tcp.rst                                    | Total                     | 413
tcp.overlap                                | Total                     | 3
detect.alert                               | Total                     | 6
detect.nonmpm_list                         | Total                     |
19766
detect.fnonmpm_list                        | Total                     | 310
detect.match_list                          | Total                     | 310
app_layer.flow.http                        | Total                     | 81
app_layer.tx.http                          | Total                     | 83
app_layer.flow.tls                         | Total                     | 84
app_layer.flow.dns_udp                     | Total                     |
2570
app_layer.tx.dns_udp                       | Total                     |
2902
app_layer.flow.failed_udp                  | Total                     | 117
flow_mgr.closed_pruned                     | Total                     | 163
flow_mgr.new_pruned                        | Total                     | 133
flow_mgr.est_pruned                        | Total                     |
2416
flow.spare                                 | Total                     |
10000
flow_mgr.flows_checked                     | Total                     | 1
flow_mgr.flows_notimeout                   | Total                     | 1
flow_mgr.rows_checked                      | Total                     |
65536
flow_mgr.rows_skipped                      | Total                     |
65535
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     |
1720320
tcp.reassembly_memuse                      | Total                     |
245760
flow.memuse                                | Total                     |
6795520

And about rules:

23/3/2018 -- 07:26:14 - <Info> - Running in live mode, activating unix
socket
23/3/2018 -- 07:26:14 - <Info> - Loading reputation file:
/etc/suricata/rules/talos.txt
23/3/2018 -- 07:26:18 - <Info> - 9 rule files processed. 28727 rules
successfully loaded, 0 rules failed
23/3/2018 -- 07:26:18 - <Info> - Threshold config parsed: 0 rule(s) found
23/3/2018 -- 07:26:18 - <Info> - 28727 signatures processed. 1295 are
IP-only rules, 3361 are inspecting packet payload, 25180 inspect
application layer, 0 are decoder event only
23/3/2018 -- 07:26:20 - <Info> - fast output device (regular) initialized:
fast.log
23/3/2018 -- 07:26:20 - <Info> - stats output device (regular) initialized:
stats.log
23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)
23/3/2018 -- 07:26:20 - <Info> - using interface vtnet2
23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet2'
23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet2'
23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)
23/3/2018 -- 07:26:20 - <Info> - using interface vtnet3
23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet3'
23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet3'
23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)
23/3/2018 -- 07:26:20 - <Info> - using interface vtnet4
23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet4'
23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet4'
23/3/2018 -- 07:26:20 - <Info> - RunModeIdsPcapWorkers initialised
23/3/2018 -- 07:26:20 - <Info> - Running in live mode, activating unix
socket
23/3/2018 -- 07:26:20 - <Info> - Using unix socket file
'/var/run/suricata/suricata-command.socket'
23/3/2018 -- 07:26:20 - <Notice> - all 3 packet processing threads, 4
management threads initialized, engine started.
23/3/2018 -- 07:31:39 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
23/3/2018 -- 07:32:41 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
23/3/2018 -- 07:32:57 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
23/3/2018 -- 08:40:06 - <Notice> - Signal Received.  Stopping engine.
23/3/2018 -- 08:40:07 - <Info> - time elapsed 4426.912s
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet2) Packets 351328, bytes
26323869
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet2) Pcap Total:425442
Recv:351328 Drop:74114 (17.4%).
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet3) Packets 6401, bytes 1849846
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet3) Pcap Total:6404 Recv:6404
Drop:0 (0.0%).
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet4) Packets 5858, bytes 1642699
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet4) Pcap Total:5858 Recv:5858
Drop:0 (0.0%).
23/3/2018 -- 08:40:07 - <Info> - Alerts: 6
23/3/2018 -- 08:40:07 - <Info> - cleaning up signature grouping
structure... complete
23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet2':  pkts: 351328, drop:
74114 (21.10%), invalid chksum: 0
23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet3':  pkts: 6401, drop: 0
(0.00%), invalid chksum: 0
23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet4':  pkts: 5858, drop: 0
(0.00%), invalid chksum: 0

As you can see Andreas, It's not a lot of traffic monitoring this vm.

Thanks

On Wed, Mar 21, 2018 at 11:06 PM, Andreas Herz <andi at geekosphere.org> wrote:

> On 18/03/18 at 07:27, C. L. Martinez wrote:
> >  Any idea why tcpdump never drops packets and suricata allmost of them?
>
> Can you add stats.log?
>
> What rules are active?
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180323/711609ff/attachment-0001.html>


More information about the Oisf-users mailing list