[Oisf-users] Really desperated: Suricata drops allmost packages
C. L. Martinez
carlopmart at gmail.com
Fri Mar 23 08:42:43 UTC 2018
Sorry for this late response.
Here it is:
------------------------------------------------------------------------------------
Date: 3/23/2018 -- 08:40:07 (uptime: 0d, 01h 13m 47s)
------------------------------------------------------------------------------------
Counter | TM Name |
Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total |
437700
capture.kernel_drops | Total |
74114
decoder.pkts | Total |
363587
decoder.bytes | Total |
29816414
decoder.ipv4 | Total |
360380
decoder.ipv6 | Total | 6
decoder.ethernet | Total |
363587
decoder.tcp | Total |
349015
decoder.udp | Total |
11122
decoder.icmpv4 | Total | 22
decoder.teredo | Total | 6
decoder.avg_pkt_size | Total | 82
decoder.max_pkt_size | Total |
1514
flow.tcp | Total | 186
flow.udp | Total |
2687
defrag.ipv4.fragments | Total | 221
defrag.ipv4.reassembled | Total | 96
tcp.sessions | Total | 176
tcp.syn | Total | 182
tcp.synack | Total | 168
tcp.rst | Total | 413
tcp.overlap | Total | 3
detect.alert | Total | 6
detect.nonmpm_list | Total |
19766
detect.fnonmpm_list | Total | 310
detect.match_list | Total | 310
app_layer.flow.http | Total | 81
app_layer.tx.http | Total | 83
app_layer.flow.tls | Total | 84
app_layer.flow.dns_udp | Total |
2570
app_layer.tx.dns_udp | Total |
2902
app_layer.flow.failed_udp | Total | 117
flow_mgr.closed_pruned | Total | 163
flow_mgr.new_pruned | Total | 133
flow_mgr.est_pruned | Total |
2416
flow.spare | Total |
10000
flow_mgr.flows_checked | Total | 1
flow_mgr.flows_notimeout | Total | 1
flow_mgr.rows_checked | Total |
65536
flow_mgr.rows_skipped | Total |
65535
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total |
1720320
tcp.reassembly_memuse | Total |
245760
flow.memuse | Total |
6795520
And about rules:
23/3/2018 -- 07:26:14 - <Info> - Running in live mode, activating unix
socket
23/3/2018 -- 07:26:14 - <Info> - Loading reputation file:
/etc/suricata/rules/talos.txt
23/3/2018 -- 07:26:18 - <Info> - 9 rule files processed. 28727 rules
successfully loaded, 0 rules failed
23/3/2018 -- 07:26:18 - <Info> - Threshold config parsed: 0 rule(s) found
23/3/2018 -- 07:26:18 - <Info> - 28727 signatures processed. 1295 are
IP-only rules, 3361 are inspecting packet payload, 25180 inspect
application layer, 0 are decoder event only
23/3/2018 -- 07:26:20 - <Info> - fast output device (regular) initialized:
fast.log
23/3/2018 -- 07:26:20 - <Info> - stats output device (regular) initialized:
stats.log
23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)
23/3/2018 -- 07:26:20 - <Info> - using interface vtnet2
23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet2'
23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet2'
23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)
23/3/2018 -- 07:26:20 - <Info> - using interface vtnet3
23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet3'
23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet3'
23/3/2018 -- 07:26:20 - <Info> - Going to use 1 thread(s)
23/3/2018 -- 07:26:20 - <Info> - using interface vtnet4
23/3/2018 -- 07:26:20 - <Info> - Running in 'auto' checksum mode. Detection
of interface state will require 1000 packets.
23/3/2018 -- 07:26:20 - <Info> - Found an MTU of 1512 for 'vtnet4'
23/3/2018 -- 07:26:20 - <Info> - Set snaplen to 1536 for 'vtnet4'
23/3/2018 -- 07:26:20 - <Info> - RunModeIdsPcapWorkers initialised
23/3/2018 -- 07:26:20 - <Info> - Running in live mode, activating unix
socket
23/3/2018 -- 07:26:20 - <Info> - Using unix socket file
'/var/run/suricata/suricata-command.socket'
23/3/2018 -- 07:26:20 - <Notice> - all 3 packet processing threads, 4
management threads initialized, engine started.
23/3/2018 -- 07:31:39 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
23/3/2018 -- 07:32:41 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
23/3/2018 -- 07:32:57 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
23/3/2018 -- 08:40:06 - <Notice> - Signal Received. Stopping engine.
23/3/2018 -- 08:40:07 - <Info> - time elapsed 4426.912s
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet2) Packets 351328, bytes
26323869
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet2) Pcap Total:425442
Recv:351328 Drop:74114 (17.4%).
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet3) Packets 6401, bytes 1849846
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet3) Pcap Total:6404 Recv:6404
Drop:0 (0.0%).
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet4) Packets 5858, bytes 1642699
23/3/2018 -- 08:40:07 - <Info> - (W#01-vtnet4) Pcap Total:5858 Recv:5858
Drop:0 (0.0%).
23/3/2018 -- 08:40:07 - <Info> - Alerts: 6
23/3/2018 -- 08:40:07 - <Info> - cleaning up signature grouping
structure... complete
23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet2': pkts: 351328, drop:
74114 (21.10%), invalid chksum: 0
23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet3': pkts: 6401, drop: 0
(0.00%), invalid chksum: 0
23/3/2018 -- 08:40:07 - <Notice> - Stats for 'vtnet4': pkts: 5858, drop: 0
(0.00%), invalid chksum: 0
As you can see Andreas, It's not a lot of traffic monitoring this vm.
Thanks
On Wed, Mar 21, 2018 at 11:06 PM, Andreas Herz <andi at geekosphere.org> wrote:
> On 18/03/18 at 07:27, C. L. Martinez wrote:
> > Any idea why tcpdump never drops packets and suricata allmost of them?
>
> Can you add stats.log?
>
> What rules are active?
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180323/711609ff/attachment-0001.html>
More information about the Oisf-users
mailing list