[Oisf-users] Discrepancies in Snort and Suricata alerts

fatema bannatwala fatema.bannatwala at gmail.com
Fri Oct 5 20:06:15 UTC 2018 

will try to dump a pcap from afpacket mode.

Meanwhile just some housekeeping quick checks, I hope I am running suricata
with correct cmd line options:
$ sudo ./suricata -D -c suricata.yaml --af-packet

Also there are many (40)  ksoftirqd processes running with 0.0% cpu usage:

$ ps -aux | grep irq
root          3  0.0  0.0      0     0 ?        S    Sep07   1:14
[ksoftirqd/0]
root         15  0.0  0.0      0     0 ?        S    Sep07   0:00
[ksoftirqd/1]
root         21  0.0  0.0      0     0 ?        S    Sep07   0:00
[ksoftirqd/2]
root         26  0.0  0.0      0     0 ?        S    Sep07   0:00
[ksoftirqd/3]
root         31  0.8  0.0      0     0 ?        S    Sep07 324:11
[ksoftirqd/4]
..............<snipped>............
root        196  0.0  0.0      0     0 ?        S    Sep07   0:00
[ksoftirqd/37]
root        201  0.0  0.0      0     0 ?        S    Sep07   0:03
[ksoftirqd/38]
root        206  0.0  0.0      0     0 ?        S    Sep07   0:00
[ksoftirqd/39]
root        839  0.0  0.0      0     0 ?        S    Sep07   0:00
[irq/210-mei_me]
root        938  0.0  0.0      0     0 ?        S<   Sep07   0:00
[kvm-irqfd-clean]

I hope this is normal.

On Fri, Oct 5, 2018 at 2:20 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> How about we make Suricata write us a pcap in afpacket workers mode? I’m
> pretty sure a rule can do that.
>
> > On Oct 5, 2018, at 8:17 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Changing $HOME_NET to any in sid 2022813 didn't help though, still not
> getting that alert fired.
> > One difference I had in suricata.yaml when running in offline pcap
> reading mode was, I set runmode to "single", while when suricata runs in
> packet sniffing mode it's set to "workers".
> >
> > I tried to set it to "runmode:single" while on interface sniffing mode
> but was hit by ~60% capture loss, which makes sense as single threaded
> suricata can't handle the traffic flowing through the interface.
> >
> > The fact that alerts are fired when in offline single threaded mode and
> same alerts are not fired when online packet sniffing multi-threaded mode,
> makes me think it has to do with multi-threading vs single threaded mode
> and how "workers" are capturing packets.
> >
> > I will keep looking.
> >
> > (The good thing is that Interrupt/IRQ pinning has helped to reduce
> capture loss to 0%)
> >
> > Thanks,
> > Fatema
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181005/e1ea3ed5/attachment.html>

More information about the Oisf-users mailing list