[Oisf-users] Really desperated: Suricata drops allmost packages
C. L. Martinez
carlopmart at gmail.com
Fri Mar 30 16:15:23 UTC 2018
On Wed, Mar 28, 2018 at 11:47:47PM +0200, Andreas Herz wrote:
> On 23/03/18 at 09:42, C. L. Martinez wrote:
> > ------------------------------------------------------------------------------------
> > capture.kernel_packets | Total |
> > 437700
> > capture.kernel_drops | Total |
> > 74114
>
> That's really bad, I agree.
>
> > 23/3/2018 -- 07:26:18 - <Info> - 9 rule files processed. 28727 rules
> > successfully loaded, 0 rules failed
>
> Is it possible that you run it with no rules just to make sure it's not
> related to any rule?
>
Ok, running with rules:
30/3/2018 -- 15:53:35 - <Notice> - This is Suricata version 4.0.4 RELEASE
30/3/2018 -- 15:53:35 - <Info> - CPUs/cores online: 2
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet2'
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet2'
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet3'
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet3'
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet4'
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet4'
30/3/2018 -- 15:53:35 - <Info> - Max dump is 0
30/3/2018 -- 15:53:35 - <Info> - Core dump setting attempted is 0
30/3/2018 -- 15:53:35 - <Info> - Core dump size set to 0
30/3/2018 -- 15:53:35 - <Info> - Running in live mode, activating unix socket
30/3/2018 -- 15:53:35 - <Info> - Loading reputation file: /etc/suricata/rules/talos.txt
30/3/2018 -- 15:53:35 - <Info> - No signatures supplied.
30/3/2018 -- 15:53:35 - <Info> - fast output device (regular) initialized: fast.log
30/3/2018 -- 15:53:35 - <Info> - stats output device (regular) initialized: stats.log
30/3/2018 -- 15:53:35 - <Info> - Going to use 1 thread(s)
30/3/2018 -- 15:53:35 - <Info> - using interface vtnet2
30/3/2018 -- 15:53:35 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet2'
30/3/2018 -- 15:53:35 - <Info> - Set snaplen to 1536 for 'vtnet2'
30/3/2018 -- 15:53:35 - <Info> - Going to use 1 thread(s)
30/3/2018 -- 15:53:35 - <Info> - using interface vtnet3
30/3/2018 -- 15:53:35 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet3'
30/3/2018 -- 15:53:35 - <Info> - Set snaplen to 1536 for 'vtnet3'
30/3/2018 -- 15:53:35 - <Info> - Going to use 1 thread(s)
30/3/2018 -- 15:53:35 - <Info> - using interface vtnet4
30/3/2018 -- 15:53:35 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
30/3/2018 -- 15:53:35 - <Info> - Found an MTU of 1512 for 'vtnet4'
30/3/2018 -- 15:53:35 - <Info> - Set snaplen to 1536 for 'vtnet4'
30/3/2018 -- 15:53:35 - <Info> - RunModeIdsPcapWorkers initialised
30/3/2018 -- 15:53:35 - <Info> - Running in live mode, activating unix socket
30/3/2018 -- 15:53:35 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
30/3/2018 -- 15:53:35 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
30/3/2018 -- 15:53:40 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
30/3/2018 -- 16:01:07 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
30/3/2018 -- 16:01:45 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
30/3/2018 -- 16:14:29 - <Notice> - Signal Received. Stopping engine.
30/3/2018 -- 16:14:30 - <Info> - time elapsed 1254.268s
30/3/2018 -- 16:14:30 - <Info> - (W#01-vtnet2) Packets 279953, bytes 287667198
30/3/2018 -- 16:14:30 - <Info> - (W#01-vtnet2) Pcap Total:284497 Recv:280710 Drop:3787 (1.3%).
30/3/2018 -- 16:14:30 - <Info> - (W#01-vtnet3) Packets 2543, bytes 176714
30/3/2018 -- 16:14:30 - <Info> - (W#01-vtnet3) Pcap Total:2543 Recv:2543 Drop:0 (0.0%).
30/3/2018 -- 16:14:30 - <Info> - (W#01-vtnet4) Packets 4004, bytes 585512
30/3/2018 -- 16:14:30 - <Info> - (W#01-vtnet4) Pcap Total:4004 Recv:4004 Drop:0 (0.0%).
30/3/2018 -- 16:14:30 - <Info> - Alerts: 0
30/3/2018 -- 16:14:30 - <Info> - cleaning up signature grouping structure... complete
30/3/2018 -- 16:14:30 - <Notice> - Stats for 'vtnet2': pkts: 279953, drop: 3787 (1.35%), invalid chksum: 0
30/3/2018 -- 16:14:30 - <Notice> - Stats for 'vtnet3': pkts: 2543, drop: 0 (0.00%), invalid chksum: 0
30/3/2018 -- 16:14:30 - <Notice> - Stats for 'vtnet4': pkts: 4004, drop: 0 (0.00%), invalid chksum: 0
And stats:
------------------------------------------------------------------------------------
Date: 3/30/2018 -- 16:14:30 (uptime: 0d, 00h 20m 55s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 290657
capture.kernel_drops | Total | 3787
decoder.pkts | Total | 286500
decoder.bytes | Total | 288429424
decoder.ipv4 | Total | 286113
decoder.ipv6 | Total | 13
decoder.ethernet | Total | 286500
decoder.tcp | Total | 276320
decoder.udp | Total | 2230
decoder.icmpv4 | Total | 61
decoder.teredo | Total | 1
decoder.avg_pkt_size | Total | 1006
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 223
flow.udp | Total | 946
defrag.ipv4.fragments | Total | 66
defrag.ipv4.reassembled | Total | 27
tcp.sessions | Total | 204
tcp.syn | Total | 279
tcp.synack | Total | 189
tcp.rst | Total | 49
tcp.stream_depth_reached | Total | 4
tcp.reassembly_gap | Total | 4
tcp.overlap | Total | 16
app_layer.flow.http | Total | 55
app_layer.tx.http | Total | 381
app_layer.flow.tls | Total | 115
app_layer.flow.ssh | Total | 4
app_layer.flow.dns_tcp | Total | 3
app_layer.tx.dns_tcp | Total | 3
app_layer.flow.dns_udp | Total | 810
app_layer.tx.dns_udp | Total | 950
app_layer.flow.failed_udp | Total | 136
flow_mgr.closed_pruned | Total | 160
flow_mgr.new_pruned | Total | 65
flow_mgr.est_pruned | Total | 203
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 4
flow_mgr.flows_notimeout | Total | 2
flow_mgr.flows_timeout | Total | 2
flow_mgr.flows_timeout_inuse | Total | 2
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65529
flow_mgr.rows_empty | Total | 3
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 1720320
tcp.reassembly_memuse | Total | 245760
flow.memuse | Total | 6944768
--
Greetings,
C. L. Martinez
More information about the Oisf-users
mailing list