[Oisf-users] Discrepancies in Snort and Suricata alerts

Michał Purzyński michalpurzynski1 at gmail.com
Fri Oct 12 18:44:28 UTC 2018


After talking a bit more with Fatema, we learned there might be a problem
with the kernel version on that server.

Victor's patch shows 30% of packets sent to a wrong thread. Bro and Snort
use pf_ring.

Suggestions would be to use hardware hashing and af_packet in QM mode. Note
- the XDP part is not needed for this setup to work.

*https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst#setup-symmetric-hashing-on-the-nic
<https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst#setup-symmetric-hashing-on-the-nic>*

just do the symmetric hashing part and then change Suricata's configuration
to use cluster_qm

  cluster-type: cluster_qm # symmetric hashing  is a must!





On Fri, Oct 5, 2018 at 2:20 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> How about we make Suricata write us a pcap in afpacket workers mode? I’m
> pretty sure a rule can do that.
>
> > On Oct 5, 2018, at 8:17 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Changing $HOME_NET to any in sid 2022813 didn't help though, still not
> getting that alert fired.
> > One difference I had in suricata.yaml when running in offline pcap
> reading mode was, I set runmode to "single", while when suricata runs in
> packet sniffing mode it's set to "workers".
> >
> > I tried to set it to "runmode:single" while on interface sniffing mode
> but was hit by ~60% capture loss, which makes sense as single threaded
> suricata can't handle the traffic flowing through the interface.
> >
> > The fact that alerts are fired when in offline single threaded mode and
> same alerts are not fired when online packet sniffing multi-threaded mode,
> makes me think it has to do with multi-threading vs single threaded mode
> and how "workers" are capturing packets.
> >
> > I will keep looking.
> >
> > (The good thing is that Interrupt/IRQ pinning has helped to reduce
> capture loss to 0%)
> >
> > Thanks,
> > Fatema
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181012/7c860dc4/attachment.html>


More information about the Oisf-users mailing list