[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support

Thu Feb 21 13:20:11 UTC 2019

On Wed, Feb 20, 2019 at 7:27 PM Cloherty, Sean E <scloherty at mitre.org> wrote:
>
> Done.
>
> Upon restart of Suricata I Immediately observed the behavior I had mentioned before where the " SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)" starts firing very frequently for what I think are false positives.
>
> The 4.1.2 server will detect the dozen or so daily hits which are recorded on the production host with the same traffic being analyzed.  But the bulk of the alerts, the ones which I believe are FPs, are all from traffic between users connected to our network via VPN and our proxy servers.
>

Ok - your drop rate is not hugely different between 4.1.2 and 4.0.6
though right or?

> -----Original Message-----
> From: Peter Manev <petermanev at gmail.com>
> Sent: Wednesday, February 20, 2019 12:26 PM
> To: Cloherty, Sean E <scloherty at mitre.org>
> Cc: Eric Urban <eurban at umn.edu>; Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [EXT] Re: [Oisf-users] Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
>
> On Wed, Feb 20, 2019 at 3:31 PM Cloherty, Sean E <scloherty at mitre.org> wrote:
> >
> > So do this with 4.1.2, right?
>
> Yes please!
>
> >
> > -----Original Message-----
> > From: Peter Manev <petermanev at gmail.com>
> > Sent: Wednesday, February 20, 2019 9:27 AM
> > To: Cloherty, Sean E <scloherty at mitre.org>
> > Cc: Eric Urban <eurban at umn.edu>; Open Information Security Foundation
> > <oisf-users at lists.openinfosecfoundation.org>
> > Subject: Re: [EXT] Re: [Oisf-users] Packet loss and increased resource
> > consumption after upgrade to 4.1.2 with Rust support
> >
> > On Wed, Feb 20, 2019 at 3:01 PM Cloherty, Sean E <scloherty at mitre.org> wrote:
> > >
> > > Peter -
> > >
> > > * CentOS Linux release 7.6.1810 / 3.10.0-957.1.3.el7.x86_64 #1 SMP
> > > Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
> > > * Rust is rust-1.30.0-x86_64
> > > * Hyperscan 4.7.0
> > > *Here is the full line I use to build Suricata -
> > >
> > > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> > > --with-libhs-libraries=/usr/local/lib/
> > > --with-libhs-includes=/usr/local/include/hs/
> > > --with-liblzma-includes=/usr/include/lzma/
> > > --with-liblzma-libraries=/usr/lib64/ --enable-gccprotect
> > > --enable-geoip --enable-lua --enable-profiling --enable-pie
> > > --enable-rust --enable-unix-socket
> > >
> >
> > Can you remove "--enable-profiling" form the command line compile, reinstall  and rerun the test? (--enable-rust --enable-unix-socket should be done/checked  by default during build time) Curious if you could please  do that and feedback the results  with all Rust/protos enabled?
> >
> > Thank you
> >
> > > Thanks,
> > >
> > > Sean
> > >
> > > -----Original Message-----
> > > From: Peter Manev <petermanev at gmail.com>
> > > Sent: Wednesday, February 20, 2019 5:59 AM
> > > To: Cloherty, Sean E <scloherty at mitre.org>
> > > Cc: Eric Urban <eurban at umn.edu>; Open Information Security
> > > Foundation <oisf-users at lists.openinfosecfoundation.org>
> > > Subject: Re: [EXT] Re: [Oisf-users] Packet loss and increased
> > > resource consumption after upgrade to 4.1.2 with Rust support
> > >
> > > On Tue, Feb 19, 2019 at 1:12 AM Cloherty, Sean E <scloherty at mitre.org> wrote:
> > > >
> > > > When I compiled 4.0.6 on the previously 4.1.2 host, I used the same arguments including Rust.  I think all of the Rust parsers are disabled, but SMB is enabled.  In my case I’ve seen no packet loss in three days despite compiling with Rust.
> > > >
> > > >
> > >
> > > Interesting observation and feedback - thank you Sean Sould you please confirm what OS / rust version do you use?
> > >
> > > Thank you
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
>
>
>
> --
> Regards,
> Peter Manev

-- 
Regards,
Peter Manev