Planet Suricata

December 12, 2013

Peter Manev

Suricata (and the grand slam of) Open Source IDPS - Chapter II - PF_RING / DNA , Part One - PF_RING

 

 

Introduction


This is Chapter II (Part One - PF_RING) of a series of articles about high performance  and advance tuning of Suricata IDPS

This article will consist of two parts  - on setting up and configuring PF_RING and DNA for a 10Gbps interface monitoring.

PF_RING:
PF_RING™ is a new type of network socket that dramatically improves the packet capture speed...
PF_RING DNA:
PF_RING™ DNA (Direct NIC Access) is a way to map NIC memory and registers to userland so that there is no additional packet copy besides the DMA transfer done by the NIC NPU (Network Process Unit), unlike what happens with NAPI. This results in better performance as CPU cycles are used uniquely for consuming packets and not for moving them off the adapter...


NOTE: PF_RING™ is open source and free, for the DNA part you need a license. However the DNA license is free for non-profit organizations or education institutions (universities,colleges etc.)




Part One - PF_RING


If you have pf_ring already installed, you might want to do:
sudo rmmod pf_ring
If you are not sure if you have pf_ring installed , you can do:
sudo modinfo pf_ring


Get the latest pf_ring sources:
svn export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ pfring-svn-latest


Compile and install PF_RING


Next, enter the following commands for configuration and installation:
(!!! NOT AS ROOT !!!)

    cd pfring-svn-latest/kernel
    make && sudo make install
    cd ../userland/lib
    ./configure --prefix=/usr/local/pfring && make && sudo make install
    cd ../libpcap-1.1.1-ring
    ./configure --prefix=/usr/local/pfring && make && sudo make install
    cd ../tcpdump-4.1.1
    ./configure --prefix=/usr/local/pfring && make && sudo make install
    sudo ldconfig
  

Then we load the module:
sudo modprobe pf_ring
  
Elevate as root and check if you have everything you need -enter:
modinfo pf_ring && cat /proc/net/pf_ring/info
   
Increase the throttle rate of the ixgbe module:
modprobe ixgbe InterruptThrottleRate=4000



The default pf_ring setup will look something like this:
root@suricata:/var/og/suricata# cat /proc/net/pf_ring/info
PF_RING Version          : 5.6.2 ($Revision: exported$)
Total rings              : 16
Standard (non DNA) Options
Ring slots               : 4096
Slot version             : 15
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0


Notice the ring slots above. We would actually like to increase that in order to meet the needs of a high speed network that we are going to monitor with Suricata.

So we do:
rmmod pf_ring
modprobe pf_ring transparent_mode=0 min_num_slots=65534
root@suricata:/home/pevman/pfring-svn-latest# modprobe pf_ring transparent_mode=0 min_num_slots=65534

root@suricata:/home/pevman/pfring-svn-latest# cat /proc/net/pf_ring/info
PF_RING Version          : 5.6.2 ($Revision: exported$)
Total rings              : 0
Standard (non DNA) Options
Ring slots               : 65534
Slot version             : 15
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0


Notice the difference above  - Ring slots: 65534



Compile and install Suricata with PF_RING enabled


Get the latest Suricata dev branch:
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ &&  git clone https://github.com/ironbee/libhtp.git -b 0.5.x

 Compile and install
./autogen.sh && LIBS=-lrt ./configure --enable-pfring --enable-geoip \
--with-libpfring-includes=/usr/local/pfring/include/ \
--with-libpfring-libraries=/usr/local/pfring/lib/ \
--with-libpcap-includes=/usr/local/pfring/include/ \
--with-libpcap-libraries=/usr/local/pfring/lib/ \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean && sudo make && sudo make install && sudo ldconfig


The "LIBS=-lrt" infront of "./configure" above is in case you get the following error  without the use of  "LIBS=-lrt " :
checking for pfring_open in -lpfring... no

   ERROR! --enable-pfring was passed but the library was not found or version is >4, go get it
   from http://www.ntop.org/PF_RING.html



PF_RING - suricata.yaml tune up and configuration

The following values and variables in the default suricata.yaml need to be changed ->

We make sure we use runmode workers (feel free to try other modes and experiment what is best for your specific set up):
#runmode: autofp
runmode: workers


Adjust the packet size:
# Preallocated size for packet. Default is 1514 which is the classical
# size for pcap on ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
default-packet-size: 1522


Use custom profile in detect-engine with a lot more groups (high gives you about 15 groups per variable, but you can customize as needed depending on the network ranges you monitor ):
detect-engine:
  - profile: custom
  - custom-values:
      toclient-src-groups: 200
      toclient-dst-groups: 200
      toclient-sp-groups: 200
      toclient-dp-groups: 300
      toserver-src-groups: 200
      toserver-dst-groups: 400
      toserver-sp-groups: 200
      toserver-dp-groups: 250
  - sgh-mpm-context: full
  - inspection-recursion-limit: 3000


Adjust your defrag settings:
# Defrag settings:
defrag:
  memcap: 512mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep
  prealloc: yes
  timeout: 30



Adjust your flow settings:
flow:
  memcap: 1gb
  hash-size: 1048576
  prealloc: 1048576
  emergency-recovery: 30


Adjust your per protocol timeout values:
flow-timeouts:

  default:
    new: 3
    established: 30
    closed: 0
    emergency-new: 10
    emergency-established: 10
    emergency-closed: 0
  tcp:
    new: 6
    established: 100
    closed: 12
    emergency-new: 1
    emergency-established: 5
    emergency-closed: 2
  udp:
    new: 3
    established: 30
    emergency-new: 3
    emergency-established: 10
  icmp:
    new: 3
    established: 30
    emergency-new: 1
    emergency-established: 10



Adjust your stream engine settings:
stream:
  memcap: 12gb
  checksum-validation: no      # reject wrong csums
  prealloc-sesions: 500000     #per thread
  midstream: true
  asyn-oneside: true
  inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 20gb
    depth: 12mb                  # reassemble 12mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10


Make sure you enable suricata.log for troubleshooting if something goes wrong:
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: /var/log/suricata/suricata.log



The PF_RING section:
# PF_RING configuration. for use with native PF_RING support
# for more info see http://www.ntop.org/PF_RING.html
pfring:
  - interface: eth3
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    threads: 16

    # Default clusterid.  PF_RING will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    cluster-id: 99

    # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
    # This is only supported in versions of PF_RING > 4.1.1.
    cluster-type: cluster_flow
    # bpf filter for this interface
    #bpf-filter: tcp
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - rxonly: only compute checksum for packets received by network card.
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto



We had these rules enabled:
rule-files:
 - md5.rules # 134 000 specially selected file md5s
 - dns.rules
 - malware.rules
 - local.rules
 - current_events.rules
 - mobile_malware.rules
 - user_agents.rules


Make sure you adjust your Network and Port variables:
  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[ HOME NET HERE ]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: "$EXTERNAL_NET"

    DNP3_SERVER: "$HOME_NET"

    DNP3_CLIENT: "$HOME_NET"

    MODBUS_CLIENT: "$HOME_NET"

    MODBUS_SERVER: "$HOME_NET"

    ENIP_CLIENT: "$HOME_NET"

    ENIP_SERVER: "$HOME_NET"

  # Holds the port group vars that would be passed in a Signature.
  # These would be retrieved during the Signature port parsing stage.
  port-groups:

    HTTP_PORTS: "80"

    SHELLCODE_PORTS: "!80"

    ORACLE_PORTS: 1521

    SSH_PORTS: 22

    DNP3_PORTS: 20000


Your app parsers:
# Holds details on the app-layer. The protocols section details each protocol.
# Under each protocol, the default value for detection-enabled and "
# parsed-enabled is yes, unless specified otherwise.
# Each protocol covers enabling/disabling parsers for all ipprotos
# the app-layer protocol runs on.  For example "dcerpc" refers to the tcp
# version of the protocol as well as the udp version of the protocol.
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
# "yes" enables both detection and the parser, "no" disables both, and
# "detection-only" enables detection only(parser disabled).
app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        tcp:
          toserver: 443

      #no-reassemble: yes
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        tcp:
          toserver: 139
    # smb2 detection is disabled internally inside the engine.
    #smb2:
    #  enabled: yes
    dnstcp:
       enabled: yes
       detection-ports:
         tcp:
           toserver: 53
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
    http:
      enabled: yes


Libhtp body limits:
      libhtp:

         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 12mb
           response-body-limit: 12mb

           # inspection limits
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 32kb
           response-body-inspect-window: 4kb



Run it


With all that done and in place  - you can start Suricata like this (change your directory locations and such !)
 LD_LIBRARY_PATH=/usr/local/pfring/lib suricata --pfring-int=eth3 \
 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow \
 -c /etc/suricata/peter-yaml/suricata-pfring.yaml -D -v


this would also work:
suricata --pfring-int=eth3  --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow \
 -c /etc/suricata/peter-yaml/suricata-pfring.yaml -D -v



After you start Suricata with PF_RING, you could use htop and the logs info of suricata.log to determine if everything is ok


EXAMPLE:
 [29966] 30/11/2013 -- 14:29:12 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 16
[29966] 30/11/2013 -- 14:29:12 - (app-layer-dns-udp.c:315) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[29966] 30/11/2013 -- 14:29:12 - (defrag-hash.c:212) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[29966] 30/11/2013 -- 14:29:12 - (defrag-hash.c:237) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 152
[29966] 30/11/2013 -- 14:29:12 - (defrag-hash.c:244) <Info> (DefragInitConfig) -- defrag memory usage: 13631336 bytes, maximum: 536870912
[29966] 30/11/2013 -- 14:29:12 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[29967] 30/11/2013 -- 14:29:12 - (tmqh-packetpool.c:141) <Info> (PacketPoolInit) -- preallocated 65534 packets. Total memory 229106864
[29967] 30/11/2013 -- 14:29:12 - (host.c:205) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[29967] 30/11/2013 -- 14:29:12 - (host.c:228) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 112
[29967] 30/11/2013 -- 14:29:12 - (host.c:230) <Info> (HostInitConfig) -- host memory usage: 390144 bytes, maximum: 16777216
[29967] 30/11/2013 -- 14:29:12 - (flow.c:386) <Info> (FlowInitConfig) -- allocated 67108864 bytes of memory for the flow hash... 1048576 buckets of size 64
[29967] 30/11/2013 -- 14:29:13 - (flow.c:410) <Info> (FlowInitConfig) -- preallocated 1048576 flows of size 280
[29967] 30/11/2013 -- 14:29:13 - (flow.c:412) <Info> (FlowInitConfig) -- flow memory usage: 369098752 bytes, maximum: 1073741824
.....
[29967] 30/11/2013 -- 14:30:23 - (util-runmodes.c:545) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s)
[30000] 30/11/2013 -- 14:30:23 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth31) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30001] 30/11/2013 -- 14:30:23 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth32) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30002] 30/11/2013 -- 14:30:23 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth33) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30003] 30/11/2013 -- 14:30:23 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth34) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30004] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth35) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30005] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth36) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30006] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth37) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30007] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth38) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30008] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth39) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30009] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth310) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30010] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth311) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30011] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth312) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30012] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth313) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30013] 30/11/2013 -- 14:30:24 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth314) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30014] 30/11/2013 -- 14:30:25 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth315) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[30015] 30/11/2013 -- 14:30:25 - (source-pfring.c:445) <Info> (ReceivePfringThreadInit) -- (RxPFReth316) Using PF_RING v.5.6.2, interface eth3, cluster-id 99
[29967] 30/11/2013 -- 14:30:25 - (runmode-pfring.c:555) <Info> (RunModeIdsPfringWorkers) -- RunModeIdsPfringWorkers initialised

.....
[29967] 30/11/2013 -- 14:30:25 - (tm-threads.c:2191) <Notice> (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, 3 management threads initialized, engine started.




So after running for about 7 hrs:
root@suricata:/var/log/suricata# grep kernel stats.log |tail -32
capture.kernel_packets    | RxPFReth31                | 2313986783
capture.kernel_drops      | RxPFReth31                | 75254447
capture.kernel_packets    | RxPFReth32                | 2420204427
capture.kernel_drops      | RxPFReth32                | 23492323
capture.kernel_packets    | RxPFReth33                | 2412343682
capture.kernel_drops      | RxPFReth33                | 71202459
capture.kernel_packets    | RxPFReth34                | 2249712177
capture.kernel_drops      | RxPFReth34                | 15290216
capture.kernel_packets    | RxPFReth35                | 2272653367
capture.kernel_drops      | RxPFReth35                | 2072826
capture.kernel_packets    | RxPFReth36                | 2281254066
capture.kernel_drops      | RxPFReth36                | 118723669
capture.kernel_packets    | RxPFReth37                | 2430047882
capture.kernel_drops      | RxPFReth37                | 13702511
capture.kernel_packets    | RxPFReth38                | 2474713911
capture.kernel_drops      | RxPFReth38                | 6512062
capture.kernel_packets    | RxPFReth39                | 2299221265
capture.kernel_drops      | RxPFReth39                | 596690
capture.kernel_packets    | RxPFReth310               | 2398183554
capture.kernel_drops      | RxPFReth310               | 15623971
capture.kernel_packets    | RxPFReth311               | 2277348230
capture.kernel_drops      | RxPFReth311               | 62773742
capture.kernel_packets    | RxPFReth312               | 2693710052
capture.kernel_drops      | RxPFReth312               | 40213266
capture.kernel_packets    | RxPFReth313               | 2470037871
capture.kernel_drops      | RxPFReth313               | 406738
capture.kernel_packets    | RxPFReth314               | 2236636480
capture.kernel_drops      | RxPFReth314               | 714360
capture.kernel_packets    | RxPFReth315               | 2314829059
capture.kernel_drops      | RxPFReth315               | 1818726
capture.kernel_packets    | RxPFReth316               | 2271917603
capture.kernel_drops      | RxPFReth316               | 1200009

about 2% drops, 85% CPU usage , about 3300 rules and inspecting traffic for match on 134 000 file MD5s.


On a side note

You could also use linux-tools to do some more analyzing and performance tuning:
apt-get install linux-tools
Example: perf top
(hit enter)




Some more info found HERE and thanks to Regit HERE.

Your task of tuning up is not yet done. You could also do a dry test runs with profiling enabled in Suricata and determine the most "expensive rules" and tune them accordingly.

This is Chapter II (Part One - PF_RING) of a series of articles about high performance  and advance tuning of Suricata IDPS. The next article is Chapter II (Part Two - DNA)


by Peter Manev (noreply@blogger.com) at December 12, 2013 09:29 AM

December 11, 2013

Peter Manev

Suricata (and the grand slam of) Open Source IDPS - Chapter II - PF_RING / DNA , Part Two - DNA

Introduction


This is Chapter II (Part Two - DNA) of a series of articles about high performance  and advance tuning of Suricata IDPS

This article will consist of two parts  - on setting up and configuring PF_RING and PF_RING DNA for a 10Gbps interface monitoring.
This is Part Two - DNA , describing setup and  tuning of DNA - PF_RING™ DNA (Direct NIC Access)

Many thanks to Luca Deri and Alfredo Cardigliano from ntop for providing a license and support that made possible this article/guide for 10 Gbps deployment scenario.


Part Two - DNA

NOTE: PF_RING is open source and free, but for DNA you need a license. However the DNA license is free for non-profit organizations or education institutions (universities,colleges etc.)
In general PF_RING DNA is much faster than the usual PF_RING.

If you do not have PF_RING installed on your system you should follow all of the
Part One - PF_RING
guide except the section "Run it". After that come back and continue from here onwards.

If you have PF_RING already installed  , you should follow this article to get the PF_RING DNA set up and installed.

NOTE: Know your network card. This set up uses Intel 82599EB 10-Gigabit SFI/SFP+

NOTE: When one application is using the DNA interface no other application can use that same interface. Example if you have Suricata running with this guide, if you want to do "./pfcount" you would not be able to , since the DNA interface is already used by an application. For cases where you would like multiple applications to use the same DNA interface, you should consider Libzero.

Compile

Once you have acquired your DNA license (instructions of "how to" are included in the license), cd to the src of your latest pfring pull:

cd /home/pevman/pfring-svn-latest/drivers/DNA/ixgbe-3.18.7-DNA/src
make



Configure

Elevate as root. EDIT the script load_dna_driver.sh found in the  directory below
(/pfring-svn-latest/drivers/DNA/ixgbe-3.18.7-DNA/src/load_dna_driver.sh)
Make changes in the script load_dna_driver.sh like so (we use only one dna interface):
# Configure here the network interfaces to activate
IF[0]=dna0
#IF[1]=dna1
#IF[2]=dna2
#IF[3]=dna3



Leave rmmod like so (default):
# Remove old modules (if loaded)
rmmod ixgbe
rmmod pf_ring


Leave only two insmod lines uncommented
# We assume that you have compiled PF_RING
insmod ../../../../kernel/pf_ring.ko


Adjust the queues, use your own MAC address, increase the buffers, up the laser on the SFP:
# As many queues as the number of processors
#insmod ./ixgbe.ko RSS=0,0,0,0
insmod ./ixgbe.ko RSS=0 mtu=1522 adapters_to_enable=00:e0:ed:19:e3:e1 num_rx_slots=32768 FdirPballoc=3

Above we have 16 CPUs and we want to use 16 queues, enable only this adapter with this MAC address, bump up the rx slots and comment all the other insmod lines (besides these two shown above for pf_ring.ko and ixgbe.ko)

In the case above we enable 16 queues (cause we have 16 cpus) for the first port of the 10Gbps Intel network card.


 +++++ CORNER CASE +++++
( the bonus round !! - with the help of  Alfredo Cardigliano from ntop )

Question:
So what should you do if you have this scenario - 32 core system with a 
10Gbps network card and DNA. The card has  4 ports each port getting 1,2,6,1 Gbps
of traffic, respectivelly.

 You would like to get 4,8 16,4 queues - dedicated cpus (as written ) per
port. In other words:
Gbps of traffic (port 0,1,2,3) - >            1,2,6,1
Number of cpus/queues dedicated - >  4,8,16,4

Answer:
Simple -> You should use
insmod ./ixgbe.ko RSS=4,8,16,4 ....

instead of :
insmod ./ixgbe.ko RSS=0 ....

+++++ END of the CORNER CASE +++++


Execute load_dna_driver.sh from the same directory it resides in.
(ex for this tutorial - /home/pevman/pfring-svn-latest/drivers/DNA/ixgbe-3.18.7-DNA/src) :
./ load_dna_driver.sh

Make sure offloading is disabled (substitute the correct interface name below name):
ethtool -K dna0 tso off
ethtool -K dna0 gro off
ethtool -K dna0 lro off
ethtool -K dna0 gso off
ethtool -K dna0 rx off
ethtool -K dna0 tx off
ethtool -K dna0 sg off
ethtool -K dna0 rxvlan off
ethtool -K dna0 txvlan off
ethtool -N dna0 rx-flow-hash udp4 sdfn
ethtool -N dna0 rx-flow-hash udp6 sdfn
ethtool -n dna0 rx-flow-hash udp6
ethtool -n dna0 rx-flow-hash udp4
ethtool -C dna0 rx-usecs 1000
ethtool -C dna0 adaptive-rx off



Configuration in suricata.yaml

In suricata.yaml, make sure your pfring section looks like this:

# PF_RING configuration. for use with native PF_RING support
# for more info see http://www.ntop.org/PF_RING.html  #dna0@0
pfring:
  - interface: dna0@0
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    #threads: 1

    # Default clusterid.  PF_RING will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    #cluster-id: 1

    # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
    # This is only supported in versions of PF_RING > 4.1.1.
    cluster-type: cluster_flow
    # bpf filter for this interface
    #bpf-filter: tcp
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - rxonly: only compute checksum for packets received by network card.
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto
  # Second interface
  - interface: dna0@1
    threads: 1
  - interface: dna0@2
    threads: 1
  - interface: dna0@3
    threads: 1
  - interface: dna0@4
    threads: 1
  - interface: dna0@5
    threads: 1
  - interface: dna0@6
    threads: 1
  - interface: dna0@7
    threads: 1
  - interface: dna0@8
    threads: 1
  - interface: dna0@9
    threads: 1
  - interface: dna0@10
    threads: 1
  - interface: dna0@11
    threads: 1
  - interface: dna0@12
    threads: 1
  - interface: dna0@13
    threads: 1
  - interface: dna0@14
    threads: 1
  - interface: dna0@15
    threads: 1
  # Put default values here
  #- interface: default
    #threads: 2


Rules enabled in suricata.yaml:

default-rule-path: /etc/suricata/et-config/
rule-files:
 - trojan.rules
 - dns.rules
 - malware.rules
 - local.rules
 - jonkman.rules
 - worm.rules
 - current_events.rules
 - mobile_malware.rules
 - user_agents.rules



The rest of the suricata.yaml configuration guide you can take from Part One - PF_RING- regarding Suricata's specific settings - timeouts, memory settings, fragmentation , reassembly limits and so on.


Notice the DNA driver loaded:
 lshw -c Network
  *-network:1
       description: Ethernet interface
       product: 82599EB 10-Gigabit SFI/SFP+ Network Connection
       vendor: Intel Corporation
       physical id: 0.1
       bus info: pci@0000:04:00.1
       logical name: dna0
       version: 01
       serial: 00:e0:ed:19:e3:e1
       width: 64 bits
       clock: 33MHz
       capabilities: pm msi msix pciexpress vpd bus_master cap_list ethernet physical fibre
       configuration: autonegotiation=off broadcast=yes driver=ixgbe driverversion=3.18.7-DNA duplex=full firmware=0x800000cb latency=0 link=yes multicast=yes port=fibre promiscuous=yes
       resources: irq:37 memory:fbc00000-fbc1ffff ioport:e000(size=32) memory:fbc40000-fbc43fff memory:fa700000-fa7fffff memory:fa600000-fa6fffff



Start Suricata with DNA

(make sure  you adjust your directories in the command below)
suricata --pfring -c /etc/suricata/peter-yaml/suricata-pfring-dna.yaml -v -D


Some stats from suricata.log:

root@suricata:/home/pevman/pfring-svn-latest/userland/examples# more /var/log/suricata/suricata.log
[32055] 27/11/2013 -- 13:31:38 - (suricata.c:932) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev 77b09fc)
[32055] 27/11/2013 -- 13:31:38 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 16
[32055] 27/11/2013 -- 13:31:38 - (app-layer-dns-udp.c:315) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[32055] 27/11/2013 -- 13:31:38 - (defrag-hash.c:209) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[32055] 27/11/2013 -- 13:31:38 - (defrag-hash.c:234) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 152
[32055] 27/11/2013 -- 13:31:38 - (defrag-hash.c:241) <Info> (DefragInitConfig) -- defrag memory usage: 13631336 bytes, maximum: 536870912
[32055] 27/11/2013 -- 13:31:38 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[32056] 27/11/2013 -- 13:31:38 - (tmqh-packetpool.c:141) <Info> (PacketPoolInit) -- preallocated 65534 packets. Total memory 288873872
[32056] 27/11/2013 -- 13:31:38 - (host.c:205) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[32056] 27/11/2013 -- 13:31:38 - (host.c:228) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 112
[32056] 27/11/2013 -- 13:31:38 - (host.c:230) <Info> (HostInitConfig) -- host memory usage: 390144 bytes, maximum: 16777216
[32056] 27/11/2013 -- 13:31:38 - (flow.c:386) <Info> (FlowInitConfig) -- allocated 67108864 bytes of memory for the flow hash... 1048576 buckets of size 64
[32056] 27/11/2013 -- 13:31:38 - (flow.c:410) <Info> (FlowInitConfig) -- preallocated 1048576 flows of size 376
[32056] 27/11/2013 -- 13:31:38 - (flow.c:412) <Info> (FlowInitConfig) -- flow memory usage: 469762048 bytes, maximum: 1073741824
[32056] 27/11/2013 -- 13:31:38 - (reputation.c:459) <Info> (SRepInit) -- IP reputation disabled
[32056] 27/11/2013 -- 13:31:38 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/share/file/magic
[32056] 27/11/2013 -- 13:31:38 - (suricata.c:1725) <Info> (SetupDelayedDetect) -- Delayed detect disabled

.....rules loaded  - 8010 :

[32056] 27/11/2013 -- 13:31:40 - (detect.c:453) <Info> (SigLoadSignatures) -- 9 rule files processed. 8010 rules successfully loaded, 0 rules failed
[32056] 27/11/2013 -- 13:31:40 - (detect.c:2589) <Info> (SigAddressPrepareStage1) -- 8017 signatures processed. 1 are IP-only rules, 2147 are inspecting packet payload, 6625 inspect application lay
er, 0 are decoder event only
[32056] 27/11/2013 -- 13:31:40 - (detect.c:2592) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
[32056] 27/11/2013 -- 13:31:40 - (detect.c:3218) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[32056] 27/11/2013 -- 13:35:28 - (detect.c:3860) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[32056] 27/11/2013 -- 13:35:28 - (util-threshold-config.c:1186) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[32056] 27/11/2013 -- 13:35:28 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[32056] 27/11/2013 -- 13:35:28 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[32056] 27/11/2013 -- 13:35:28 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized: http.log
[32056] 27/11/2013 -- 13:35:28 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- tls-log output device (regular) initialized: tls.log
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@0 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@1 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@2 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@3 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@4 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@5 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@6 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@7 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@8 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@9 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@10 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@11 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@12 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@13 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@14 from config file
[32056] 27/11/2013 -- 13:35:28 - (util-device.c:147) <Info> (LiveBuildDeviceList) -- Adding interface dna0@15 from config file
........
......
[32056] 27/11/2013 -- 13:35:28 - (runmode-pfring.c:555) <Info> (RunModeIdsPfringWorkers) -- RunModeIdsPfringWorkers initialised
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:374) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:390) <Info> (StreamTcpInitConfig) -- stream "memcap": 17179869184
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:396) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: enabled
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:419) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": disabled
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:441) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:454) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:472) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 25769803776
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:490) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 12582912
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:573) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2509
[32056] 27/11/2013 -- 13:35:28 - (stream-tcp.c:575) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2459
[32056] 27/11/2013 -- 13:35:28 - (tm-threads.c:2191) <Notice> (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, 3 management threads initialized, engine started.




Results: after 45 min running (and counting) on 10Gbps 8010 rules (impressive) ->
root@suricata:/var/log/suricata# grep  kernel /var/log/suricata/stats.log | tail -32
capture.kernel_packets    | RxPFRdna0@01              | 467567844
capture.kernel_drops      | RxPFRdna0@01              | 0
capture.kernel_packets    | RxPFRdna0@11              | 440973548
capture.kernel_drops      | RxPFRdna0@11              | 0
capture.kernel_packets    | RxPFRdna0@21              | 435088258
capture.kernel_drops      | RxPFRdna0@21              | 0
capture.kernel_packets    | RxPFRdna0@31              | 453131090
capture.kernel_drops      | RxPFRdna0@31              | 0
capture.kernel_packets    | RxPFRdna0@41              | 469334903
capture.kernel_drops      | RxPFRdna0@41              | 0
capture.kernel_packets    | RxPFRdna0@51              | 430412652
capture.kernel_drops      | RxPFRdna0@51              | 0
capture.kernel_packets    | RxPFRdna0@61              | 438056484
capture.kernel_drops      | RxPFRdna0@61              | 0
capture.kernel_packets    | RxPFRdna0@71              | 428234219
capture.kernel_drops      | RxPFRdna0@71              | 0
capture.kernel_packets    | RxPFRdna0@81              | 452883734
capture.kernel_drops      | RxPFRdna0@81              | 0
capture.kernel_packets    | RxPFRdna0@91              | 469565553
capture.kernel_drops      | RxPFRdna0@91              | 0
capture.kernel_packets    | RxPFRdna0@101             | 442010263
capture.kernel_drops      | RxPFRdna0@101             | 0
capture.kernel_packets    | RxPFRdna0@111             | 451989862
capture.kernel_drops      | RxPFRdna0@111             | 0
capture.kernel_packets    | RxPFRdna0@121             | 452650397
capture.kernel_drops      | RxPFRdna0@121             | 0
capture.kernel_packets    | RxPFRdna0@131             | 464907229
capture.kernel_drops      | RxPFRdna0@131             | 0
capture.kernel_packets    | RxPFRdna0@141             | 443403243
capture.kernel_drops      | RxPFRdna0@141             | 0
capture.kernel_packets    | RxPFRdna0@151             | 432499371
capture.kernel_drops      | RxPFRdna0@151             | 0

Some htop stats




In the examples directory of your PF_RING sources - /pfring-svn-latest/userland/examples you have some tools you can use to look at packets stats and such - example:

root@suricata:/home/pevman/pfring-svn-latest/userland/examples# ./pfcount_multichannel -i dna0
Capturing from dna0
Found 16 channels
Using PF_RING v.5.6.2
=========================
Absolute Stats: [channel=0][181016 pkts rcvd][0 pkts dropped]
Total Pkts=181016/Dropped=0.0 %
181016 pkts - 151335257 bytes [181011.8 pkt/sec - 1210.65 Mbit/sec]
=========================
Absolute Stats: [channel=1][179532 pkts rcvd][0 pkts dropped]
Total Pkts=179532/Dropped=0.0 %
179532 pkts - 145662057 bytes [179527.9 pkt/sec - 1165.27 Mbit/sec]
=========================
Absolute Stats: [channel=2][165293 pkts rcvd][0 pkts dropped]
Total Pkts=165293/Dropped=0.0 %
165293 pkts - 136544046 bytes [165289.2 pkt/sec - 1092.33 Mbit/sec]
=========================
Absolute Stats: [channel=3][170460 pkts rcvd][0 pkts dropped]
Total Pkts=170460/Dropped=0.0 %
170460 pkts - 140635250 bytes [170456.1 pkt/sec - 1125.06 Mbit/sec]
=========================
Absolute Stats: [channel=4][175195 pkts rcvd][0 pkts dropped]
Total Pkts=175195/Dropped=0.0 %
175274 pkts - 152625282 bytes [175270.0 pkt/sec - 1220.46 Mbit/sec]
=========================
Absolute Stats: [channel=5][183791 pkts rcvd][0 pkts dropped]
Total Pkts=183791/Dropped=0.0 %
183885 pkts - 160108632 bytes [183880.8 pkt/sec - 1280.29 Mbit/sec]
=========================
Absolute Stats: [channel=6][195090 pkts rcvd][0 pkts dropped]
Total Pkts=195090/Dropped=0.0 %
195090 pkts - 151078761 bytes [195085.5 pkt/sec - 1208.60 Mbit/sec]
=========================
Absolute Stats: [channel=7][176625 pkts rcvd][0 pkts dropped]
Total Pkts=176625/Dropped=0.0 %
176625 pkts - 149183724 bytes [176620.9 pkt/sec - 1193.44 Mbit/sec]
=========================
Absolute Stats: [channel=8][226365 pkts rcvd][0 pkts dropped]
Total Pkts=226365/Dropped=0.0 %
226365 pkts - 214464585 bytes [226359.8 pkt/sec - 1715.68 Mbit/sec]
=========================
Absolute Stats: [channel=9][183973 pkts rcvd][0 pkts dropped]
Total Pkts=183973/Dropped=0.0 %
183973 pkts - 154206146 bytes [183968.8 pkt/sec - 1233.62 Mbit/sec]
=========================
Absolute Stats: [channel=10][193904 pkts rcvd][0 pkts dropped]
Total Pkts=193904/Dropped=0.0 %
193904 pkts - 170982720 bytes [193899.5 pkt/sec - 1367.83 Mbit/sec]
=========================
Absolute Stats: [channel=11][159307 pkts rcvd][0 pkts dropped]
Total Pkts=159307/Dropped=0.0 %
159307 pkts - 130492164 bytes [159303.3 pkt/sec - 1043.91 Mbit/sec]
=========================
Absolute Stats: [channel=12][198685 pkts rcvd][0 pkts dropped]
Total Pkts=198685/Dropped=0.0 %
198685 pkts - 173157408 bytes [198680.4 pkt/sec - 1385.23 Mbit/sec]
=========================
Absolute Stats: [channel=13][196712 pkts rcvd][0 pkts dropped]
Total Pkts=196712/Dropped=0.0 %
196712 pkts - 172714889 bytes [196707.5 pkt/sec - 1381.69 Mbit/sec]
=========================
Absolute Stats: [channel=14][180239 pkts rcvd][0 pkts dropped]
Total Pkts=180239/Dropped=0.0 %
180239 pkts - 153796845 bytes [180234.9 pkt/sec - 1230.35 Mbit/sec]
=========================
Absolute Stats: [channel=15][174886 pkts rcvd][0 pkts dropped]
Total Pkts=174886/Dropped=0.0 %
174886 pkts - 149870888 bytes [174882.0 pkt/sec - 1198.94 Mbit/sec]
=========================
Aggregate stats (all channels): [0.0 pkt/sec][0.00 Mbit/sec][0 pkts dropped]
=========================

=========================
Absolute Stats: [channel=0][280911 pkts rcvd][0 pkts dropped]
Total Pkts=280911/Dropped=0.0 %
280911 pkts - 238246030 bytes [140327.9 pkt/sec - 952.12 Mbit/sec]
=========================
Actual Stats: [channel=0][99895 pkts][1001.8 ms][99715.9 pkt/sec]
=========================
Absolute Stats: [channel=1][271128 pkts rcvd][0 pkts dropped]
Total Pkts=271128/Dropped=0.0 %
271128 pkts - 220184576 bytes [135440.8 pkt/sec - 879.94 Mbit/sec]
=========================
Actual Stats: [channel=1][91540 pkts][1001.8 ms][91375.9 pkt/sec]
=========================
Absolute Stats: [channel=2][251004 pkts rcvd][0 pkts dropped]
Total Pkts=251004/Dropped=0.0 %
251090 pkts - 210457632 bytes [125430.9 pkt/sec - 840.91 Mbit/sec]
=========================
Actual Stats: [channel=2][85799 pkts][1001.8 ms][85645.2 pkt/sec]
=========================
Absolute Stats: [channel=3][256648 pkts rcvd][0 pkts dropped]
Total Pkts=256648/Dropped=0.0 %
256648 pkts - 213116218 bytes [128207.4 pkt/sec - 851.69 Mbit/sec]
=========================
Actual Stats: [channel=3][86188 pkts][1001.8 ms][86033.5 pkt/sec]
=========================
Absolute Stats: [channel=4][261802 pkts rcvd][0 pkts dropped]
Total Pkts=261802/Dropped=0.0 %
261802 pkts - 225272589 bytes [130782.1 pkt/sec - 900.27 Mbit/sec]
=========================
Actual Stats: [channel=4][86528 pkts][1001.8 ms][86372.9 pkt/sec]
=========================
Absolute Stats: [channel=5][275665 pkts rcvd][0 pkts dropped]
Total Pkts=275665/Dropped=0.0 %
275665 pkts - 239259529 bytes [137707.3 pkt/sec - 956.17 Mbit/sec]
=========================
Actual Stats: [channel=5][91780 pkts][1001.8 ms][91615.5 pkt/sec]
=========================
Absolute Stats: [channel=6][295611 pkts rcvd][0 pkts dropped]
Total Pkts=295611/Dropped=0.0 %
295611 pkts - 231543496 bytes [147671.2 pkt/sec - 925.33 Mbit/sec]
=========================
Actual Stats: [channel=6][100521 pkts][1001.8 ms][100340.8 pkt/sec]
=========================
Absolute Stats: [channel=7][268374 pkts rcvd][0 pkts dropped]
Total Pkts=268374/Dropped=0.0 %
268374 pkts - 230010930 bytes [134065.1 pkt/sec - 919.21 Mbit/sec]
=========================
Actual Stats: [channel=7][91749 pkts][1001.8 ms][91584.5 pkt/sec]
=========================
Absolute Stats: [channel=8][312726 pkts rcvd][0 pkts dropped]
Total Pkts=312726/Dropped=0.0 %
312726 pkts - 286419690 bytes [156220.9 pkt/sec - 1144.64 Mbit/sec]
=========================
Actual Stats: [channel=8][86361 pkts][1001.8 ms][86206.2 pkt/sec]
=========================
Absolute Stats: [channel=9][275091 pkts rcvd][0 pkts dropped]
Total Pkts=275091/Dropped=0.0 %
275091 pkts - 229807313 bytes [137420.5 pkt/sec - 918.39 Mbit/sec]
=========================
Actual Stats: [channel=9][91118 pkts][1001.8 ms][90954.6 pkt/sec]
=========================
Absolute Stats: [channel=10][289441 pkts rcvd][0 pkts dropped]
Total Pkts=289441/Dropped=0.0 %
289441 pkts - 254843198 bytes [144589.0 pkt/sec - 1018.45 Mbit/sec]
=========================
Actual Stats: [channel=10][95537 pkts][1001.8 ms][95365.7 pkt/sec]
=========================
Absolute Stats: [channel=11][241318 pkts rcvd][0 pkts dropped]
Total Pkts=241318/Dropped=0.0 %
241318 pkts - 200442927 bytes [120549.4 pkt/sec - 801.04 Mbit/sec]
=========================
Actual Stats: [channel=11][82011 pkts][1001.8 ms][81864.0 pkt/sec]
=========================
Absolute Stats: [channel=12][300209 pkts rcvd][0 pkts dropped]
Total Pkts=300209/Dropped=0.0 %
300209 pkts - 261259342 bytes [149968.1 pkt/sec - 1044.09 Mbit/sec]
=========================
Actual Stats: [channel=12][101524 pkts][1001.8 ms][101342.0 pkt/sec]
=========================
Absolute Stats: [channel=13][293733 pkts rcvd][0 pkts dropped]
Total Pkts=293733/Dropped=0.0 %
293733 pkts - 259477621 bytes [146733.0 pkt/sec - 1036.97 Mbit/sec]
=========================
Actual Stats: [channel=13][97021 pkts][1001.8 ms][96847.1 pkt/sec]
=========================
Absolute Stats: [channel=14][267101 pkts rcvd][0 pkts dropped]
Total Pkts=267101/Dropped=0.0 %
267101 pkts - 226064969 bytes [133429.1 pkt/sec - 903.44 Mbit/sec]
=========================
Actual Stats: [channel=14][86862 pkts][1001.8 ms][86706.3 pkt/sec]
=========================
Absolute Stats: [channel=15][266323 pkts rcvd][0 pkts dropped]
Total Pkts=266323/Dropped=0.0 %
266323 pkts - 232926529 bytes [133040.5 pkt/sec - 930.86 Mbit/sec]
=========================
Actual Stats: [channel=15][91437 pkts][1001.8 ms][91273.1 pkt/sec]
=========================
Aggregate stats (all channels): [1463243.0 pkt/sec][15023.51 Mbit/sec][0 pkts dropped]
=========================

=========================
Absolute Stats: [channel=0][373933 pkts rcvd][0 pkts dropped]
Total Pkts=373933/Dropped=0.0 %
374021 pkts - 319447715 bytes [124511.0 pkt/sec - 850.55 Mbit/sec]
=========================
Actual Stats: [channel=0][93110 pkts][1002.1 ms][92914.8 pkt/sec]
=========================
Absolute Stats: [channel=1][364673 pkts rcvd][0 pkts dropped]
Total Pkts=364673/Dropped=0.0 %
364673 pkts - 297909054 bytes [121399.0 pkt/sec - 793.39 Mbit/sec]
=========================
Actual Stats: [channel=1][93545 pkts][1002.1 ms][93348.9 pkt/sec]
=========================
Absolute Stats: [channel=2][340006 pkts rcvd][0 pkts dropped]
Total Pkts=340006/Dropped=0.0 %
340006 pkts - 286127223 bytes [113187.4 pkt/sec - 762.01 Mbit/sec]
=========================
Actual Stats: [channel=2][88914 pkts][1002.1 ms][88727.6 pkt/sec]
=========================
Absolute Stats: [channel=3][345742 pkts rcvd][0 pkts dropped]
Total Pkts=345742/Dropped=0.0 %
345744 pkts - 291400583 bytes [115097.6 pkt/sec - 776.05 Mbit/sec]
=========================
Actual Stats: [channel=3][89096 pkts][1002.1 ms][88909.2 pkt/sec]
=========================
Absolute Stats: [channel=4][347349 pkts rcvd][0 pkts dropped]
Total Pkts=347349/Dropped=0.0 %
347349 pkts - 298935146 bytes [115631.9 pkt/sec - 796.12 Mbit/sec]
=========================
Actual Stats: [channel=4][85547 pkts][1002.1 ms][85367.6 pkt/sec]
=========================
Absolute Stats: [channel=5][364298 pkts rcvd][0 pkts dropped]
Total Pkts=364298/Dropped=0.0 %
364298 pkts - 316328192 bytes [121274.2 pkt/sec - 842.44 Mbit/sec]
=========================
Actual Stats: [channel=5][88755 pkts][1002.1 ms][88568.9 pkt/sec]
=========================
Absolute Stats: [channel=6][389332 pkts rcvd][0 pkts dropped]
Total Pkts=389332/Dropped=0.0 %
389332 pkts - 304943539 bytes [129608.0 pkt/sec - 812.12 Mbit/sec]
=========================
Actual Stats: [channel=6][93721 pkts][1002.1 ms][93524.5 pkt/sec]
=========================
Absolute Stats: [channel=7][358297 pkts rcvd][0 pkts dropped]
Total Pkts=358297/Dropped=0.0 %
358297 pkts - 306416899 bytes [119276.5 pkt/sec - 816.05 Mbit/sec]
=========================
Actual Stats: [channel=7][89923 pkts][1002.1 ms][89734.5 pkt/sec]
=========================
Absolute Stats: [channel=8][401267 pkts rcvd][0 pkts dropped]
Total Pkts=401267/Dropped=0.0 %
401267 pkts - 360814291 bytes [133581.1 pkt/sec - 960.92 Mbit/sec]
=========================
Actual Stats: [channel=8][88541 pkts][1002.1 ms][88355.4 pkt/sec]
=========================
Absolute Stats: [channel=9][367106 pkts rcvd][0 pkts dropped]
Total Pkts=367106/Dropped=0.0 %
367106 pkts - 308110795 bytes [122209.0 pkt/sec - 820.56 Mbit/sec]
=========================
Actual Stats: [channel=9][92015 pkts][1002.1 ms][91822.1 pkt/sec]
=========================
Absolute Stats: [channel=10][379460 pkts rcvd][0 pkts dropped]
Total Pkts=379460/Dropped=0.0 %
379460 pkts - 333159086 bytes [126321.6 pkt/sec - 887.26 Mbit/sec]
=========================
Actual Stats: [channel=10][90019 pkts][1002.1 ms][89830.3 pkt/sec]
=========================
Absolute Stats: [channel=11][325694 pkts rcvd][0 pkts dropped]
Total Pkts=325694/Dropped=0.0 %
325694 pkts - 275299638 bytes [108423.0 pkt/sec - 733.17 Mbit/sec]
=========================
Actual Stats: [channel=11][84376 pkts][1002.1 ms][84199.1 pkt/sec]
=========================
Absolute Stats: [channel=12][404043 pkts rcvd][0 pkts dropped]
Total Pkts=404043/Dropped=0.0 %
404043 pkts - 354268267 bytes [134505.2 pkt/sec - 943.48 Mbit/sec]
=========================
Actual Stats: [channel=12][103834 pkts][1002.1 ms][103616.3 pkt/sec]
=========================
Absolute Stats: [channel=13][387853 pkts rcvd][0 pkts dropped]
Total Pkts=387853/Dropped=0.0 %
387853 pkts - 341947698 bytes [129115.6 pkt/sec - 910.67 Mbit/sec]
=========================
Actual Stats: [channel=13][94120 pkts][1002.1 ms][93922.7 pkt/sec]
=========================
Absolute Stats: [channel=14][355203 pkts rcvd][0 pkts dropped]
Total Pkts=355203/Dropped=0.0 %
355203 pkts - 299561170 bytes [118246.5 pkt/sec - 797.79 Mbit/sec]
=========================
Actual Stats: [channel=14][88102 pkts][1002.1 ms][87917.3 pkt/sec]
=========================
Absolute Stats: [channel=15][358170 pkts rcvd][0 pkts dropped]
Total Pkts=358170/Dropped=0.0 %
358170 pkts - 317357718 bytes [119234.2 pkt/sec - 845.18 Mbit/sec]
=========================
Actual Stats: [channel=15][91847 pkts][1002.1 ms][91654.4 pkt/sec]
=========================
Aggregate stats (all channels): [1452413.5 pkt/sec][13347.76 Mbit/sec][0 pkts dropped]
=========================

=========================
Absolute Stats: [channel=0][468626 pkts rcvd][0 pkts dropped]
Total Pkts=468626/Dropped=0.0 %
468626 pkts - 400765367 bytes [116978.6 pkt/sec - 800.31 Mbit/sec]
=========================
Actual Stats: [channel=0][94605 pkts][1002.2 ms][94400.9 pkt/sec]
=========================
Absolute Stats: [channel=1][459038 pkts rcvd][0 pkts dropped]
Total Pkts=459038/Dropped=0.0 %
459038 pkts - 375498207 bytes [114585.3 pkt/sec - 749.86 Mbit/sec]
=========================
Actual Stats: [channel=1][94365 pkts][1002.2 ms][94161.4 pkt/sec]
=========================
Absolute Stats: [channel=2][427693 pkts rcvd][0 pkts dropped]
Total Pkts=427693/Dropped=0.0 %
427756 pkts - 360740091 bytes [106776.6 pkt/sec - 720.30 Mbit/sec]
=========================
Actual Stats: [channel=2][87750 pkts][1002.2 ms][87560.7 pkt/sec]
=========================
Absolute Stats: [channel=3][430086 pkts rcvd][0 pkts dropped]
Total Pkts=430086/Dropped=0.0 %
430086 pkts - 360783155 bytes [107358.3 pkt/sec - 720.47 Mbit/sec]
=========================
Actual Stats: [channel=3][84342 pkts][1002.2 ms][84160.0 pkt/sec]
=========================
Absolute Stats: [channel=4][441175 pkts rcvd][0 pkts dropped]
Total Pkts=441175/Dropped=0.0 %
441175 pkts - 381517772 bytes [110126.3 pkt/sec - 761.88 Mbit/sec]
=========================
Actual Stats: [channel=4][93826 pkts][1002.2 ms][93623.6 pkt/sec]
=========================
Absolute Stats: [channel=5][452388 pkts rcvd][0 pkts dropped]
Total Pkts=452388/Dropped=0.0 %
452388 pkts - 392565040 bytes [112925.3 pkt/sec - 783.94 Mbit/sec]
=========================
Actual Stats: [channel=5][87966 pkts][1002.2 ms][87776.2 pkt/sec]
=========================
Absolute Stats: [channel=6][484619 pkts rcvd][0 pkts dropped]
Total Pkts=484619/Dropped=0.0 %
484619 pkts - 380513369 bytes [120970.8 pkt/sec - 759.87 Mbit/sec]
=========================
Actual Stats: [channel=6][95287 pkts][1002.2 ms][95081.4 pkt/sec]
=========================
Absolute Stats: [channel=7][444354 pkts rcvd][0 pkts dropped]
Total Pkts=444354/Dropped=0.0 %
444354 pkts - 380437307 bytes [110919.8 pkt/sec - 759.72 Mbit/sec]
=========================
Actual Stats: [channel=7][86057 pkts][1002.2 ms][85871.3 pkt/sec]
=========================
Absolute Stats: [channel=8][492232 pkts rcvd][0 pkts dropped]
Total Pkts=492232/Dropped=0.0 %
492232 pkts - 439080930 bytes [122871.2 pkt/sec - 876.83 Mbit/sec]
=========================
Actual Stats: [channel=8][90965 pkts][1002.2 ms][90768.8 pkt/sec]
=========================
Absolute Stats: [channel=9][456986 pkts rcvd][0 pkts dropped]
Total Pkts=456986/Dropped=0.0 %
456986 pkts - 384635529 bytes [114073.1 pkt/sec - 768.10 Mbit/sec]
=========================
Actual Stats: [channel=9][89880 pkts][1002.2 ms][89686.1 pkt/sec]
=========================
Absolute Stats: [channel=10][465784 pkts rcvd][0 pkts dropped]
Total Pkts=465784/Dropped=0.0 %
465784 pkts - 406987442 bytes [116269.2 pkt/sec - 812.74 Mbit/sec]
=========================
Actual Stats: [channel=10][86324 pkts][1002.2 ms][86137.8 pkt/sec]
=========================
Absolute Stats: [channel=11][414559 pkts rcvd][0 pkts dropped]
Total Pkts=414559/Dropped=0.0 %
414559 pkts - 356117478 bytes [103482.4 pkt/sec - 711.15 Mbit/sec]
=========================
Actual Stats: [channel=11][88865 pkts][1002.2 ms][88673.3 pkt/sec]
=========================
Absolute Stats: [channel=12][505441 pkts rcvd][0 pkts dropped]
Total Pkts=505441/Dropped=0.0 %
505441 pkts - 445085395 bytes [126168.4 pkt/sec - 888.82 Mbit/sec]
=========================
Actual Stats: [channel=12][101398 pkts][1002.2 ms][101179.3 pkt/sec]
=========================
Absolute Stats: [channel=13][484235 pkts rcvd][0 pkts dropped]
Total Pkts=484235/Dropped=0.0 %
484235 pkts - 428890010 bytes [120875.0 pkt/sec - 856.48 Mbit/sec]
=========================
Actual Stats: [channel=13][96382 pkts][1002.2 ms][96174.1 pkt/sec]
=========================
Absolute Stats: [channel=14][441791 pkts rcvd][0 pkts dropped]
Total Pkts=441791/Dropped=0.0 %
441791 pkts - 370987385 bytes [110280.1 pkt/sec - 740.85 Mbit/sec]
=========================
Actual Stats: [channel=14][86588 pkts][1002.2 ms][86401.2 pkt/sec]
=========================
Absolute Stats: [channel=15][447444 pkts rcvd][0 pkts dropped]
Total Pkts=447444/Dropped=0.0 %
447444 pkts - 400157776 bytes [111691.2 pkt/sec - 799.10 Mbit/sec]
=========================
Actual Stats: [channel=15][89274 pkts][1002.2 ms][89081.4 pkt/sec]
=========================
Aggregate stats (all channels): [1450737.5 pkt/sec][12510.42 Mbit/sec][0 pkts dropped]
=========================

^CLeaving...
=========================
Absolute Stats: [channel=0][526704 pkts rcvd][0 pkts dropped]
Total Pkts=526704/Dropped=0.0 %
526704 pkts - 449622006 bytes [112996.9 pkt/sec - 771.68 Mbit/sec]
=========================
Actual Stats: [channel=0][58078 pkts][655.1 ms][88649.3 pkt/sec]
=========================
Absolute Stats: [channel=1][518742 pkts rcvd][0 pkts dropped]
Total Pkts=518742/Dropped=0.0 %
518742 pkts - 423173503 bytes [111288.8 pkt/sec - 726.29 Mbit/sec]
=========================
Actual Stats: [channel=1][59704 pkts][655.1 ms][91131.2 pkt/sec]
=========================
Absolute Stats: [channel=2][482833 pkts rcvd][0 pkts dropped]
Total Pkts=482833/Dropped=0.0 %
482833 pkts - 408272765 bytes [103585.0 pkt/sec - 700.71 Mbit/sec]
=========================
Actual Stats: [channel=2][55077 pkts][655.1 ms][84068.7 pkt/sec]
=========================
Absolute Stats: [channel=3][484505 pkts rcvd][0 pkts dropped]
Total Pkts=484505/Dropped=0.0 %
484505 pkts - 407952853 bytes [103943.7 pkt/sec - 700.16 Mbit/sec]
=========================
Actual Stats: [channel=3][54419 pkts][655.1 ms][83064.3 pkt/sec]
=========================
Absolute Stats: [channel=4][497847 pkts rcvd][0 pkts dropped]
Total Pkts=497847/Dropped=0.0 %
497847 pkts - 430545046 bytes [106806.0 pkt/sec - 738.94 Mbit/sec]
=========================
Actual Stats: [channel=4][56672 pkts][655.1 ms][86503.3 pkt/sec]
=========================
Absolute Stats: [channel=5][509084 pkts rcvd][0 pkts dropped]
Total Pkts=509084/Dropped=0.0 %
509084 pkts - 442684546 bytes [109216.8 pkt/sec - 759.77 Mbit/sec]
=========================
Actual Stats: [channel=5][56696 pkts][655.1 ms][86539.9 pkt/sec]
=========================
Absolute Stats: [channel=6][590352 pkts rcvd][0 pkts dropped]
Total Pkts=590352/Dropped=0.0 %
590352 pkts - 488140796 bytes [126651.7 pkt/sec - 837.79 Mbit/sec]
=========================
Actual Stats: [channel=6][105733 pkts][655.1 ms][161389.2 pkt/sec]
=========================
Absolute Stats: [channel=7][498739 pkts rcvd][0 pkts dropped]
Total Pkts=498739/Dropped=0.0 %
498739 pkts - 426878095 bytes [106997.4 pkt/sec - 732.65 Mbit/sec]
=========================
Actual Stats: [channel=7][54385 pkts][655.1 ms][83012.4 pkt/sec]
=========================
Absolute Stats: [channel=8][545746 pkts rcvd][0 pkts dropped]
Total Pkts=545746/Dropped=0.0 %
545746 pkts - 483616307 bytes [117082.1 pkt/sec - 830.02 Mbit/sec]
=========================
Actual Stats: [channel=8][53514 pkts][655.1 ms][81682.9 pkt/sec]
=========================
Absolute Stats: [channel=9][513518 pkts rcvd][0 pkts dropped]
Total Pkts=513518/Dropped=0.0 %
513518 pkts - 433042435 bytes [110168.0 pkt/sec - 743.23 Mbit/sec]
=========================
Actual Stats: [channel=9][56532 pkts][655.1 ms][86289.6 pkt/sec]
=========================
Absolute Stats: [channel=10][518808 pkts rcvd][0 pkts dropped]
Total Pkts=518808/Dropped=0.0 %
518808 pkts - 451299621 bytes [111302.9 pkt/sec - 774.56 Mbit/sec]
=========================
Actual Stats: [channel=10][53024 pkts][655.1 ms][80935.0 pkt/sec]
=========================
Absolute Stats: [channel=11][463009 pkts rcvd][0 pkts dropped]
Total Pkts=463009/Dropped=0.0 %
463009 pkts - 396962614 bytes [99332.0 pkt/sec - 681.30 Mbit/sec]
=========================
Actual Stats: [channel=11][48372 pkts][655.1 ms][73834.3 pkt/sec]
=========================
Absolute Stats: [channel=12][568457 pkts rcvd][0 pkts dropped]
Total Pkts=568457/Dropped=0.0 %
568457 pkts - 501652006 bytes [121954.4 pkt/sec - 860.98 Mbit/sec]
=========================
Actual Stats: [channel=12][63016 pkts][655.1 ms][96186.6 pkt/sec]
=========================
Absolute Stats: [channel=13][540529 pkts rcvd][0 pkts dropped]
Total Pkts=540529/Dropped=0.0 %
540529 pkts - 477373633 bytes [115962.9 pkt/sec - 819.31 Mbit/sec]
=========================
Actual Stats: [channel=13][56294 pkts][655.1 ms][85926.3 pkt/sec]
=========================
Absolute Stats: [channel=14][493059 pkts rcvd][0 pkts dropped]
Total Pkts=493059/Dropped=0.0 %
493059 pkts - 413762408 bytes [105778.8 pkt/sec - 710.14 Mbit/sec]
=========================
Actual Stats: [channel=14][51268 pkts][655.1 ms][78254.7 pkt/sec]
=========================
Absolute Stats: [channel=15][500543 pkts rcvd][0 pkts dropped]
Total Pkts=500543/Dropped=0.0 %
500543 pkts - 447149624 bytes [107384.4 pkt/sec - 767.44 Mbit/sec]
=========================
Actual Stats: [channel=15][53099 pkts][655.1 ms][81049.5 pkt/sec]
=========================
Aggregate stats (all channels): [1428517.1 pkt/sec][12154.96 Mbit/sec][0 pkts dropped]
=========================

Shutting down sockets...
        0...
        1...
        2...
        3...
        4...
        5...
        6...
        7...
        8...
        9...
        10...
        11...
        12...
        13...
        14...
        15...
root@suricata:/home/pevman/pfring-svn-latest/userland/examples#



That is it for the DNA configuration and setup/installation part.
The next chapter - Chapter III - AF_PACKET - deals with configuration,setup and tuning of the  AF_PACKET mode usage for the Suricata IDPS.






by Peter Manev (noreply@blogger.com) at December 11, 2013 03:46 AM

Suricata (and the grand slam of) Open Source IDPS - Chapter I - Preparation



Introduction

This is a series of 4 articles aiming at giving a general guideline on how to deploy the Open Source Suricata IDPS on a high speed networks (10Gbps) in IDS mode using AF_PACKET , PF_RING or DNA.

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.


In addition to that -  we will make use of some of the great Suricata features and mainly we will  compile in with GeoIP and file extraction support (extract files on the fly from traffic, based on their file type / file extension / file size/ file name/ MD5 hash ).

Further more Logstash / Kibana / Elasticsearch configuration and set up will be explored.

The articles in this series are comprised of:

Chapter I - Preparation
This chapter includes a general system description and basic set up tasks execution and tuning.

Chapter II - PF_RING / DNA
     Part One - PF_RING
     Part Two - DNA
This chapter includes two sections - PF_RING and DNA set up and configuration tasks.

Chapter III - AF_PACKET
This chapter includes AF_PACKET set up and configuration tasks.

Chapter IV - Logstash / Kibana / Elasticsearch
This chapter includes Logstash/Kibana/Elasticsearch  set up and configuration tweaks - making use of the JSON log output available in Suricata.



Following these tutorials would not guarantee you 0 drops or a perfect set up. Every set up is unique based on a number of things including type of traffic, HW , rulesets used and much more.
Instead these sets of articles are intended for a general guide / reference and you should further adjust settings after you have gone through the initial deployment steps and analysis of your needs and traffic.

For this set of articles it is not mandatory to install Suricata with both AF_PACKET and PF_RING (or DNA) enabled. If you choose one or the other or both is entirely up to you. This article series does not aim to produce a performance comparison between AF_PACKET and PF_RING - again it is up to you and depending on your needs, environment and hardware  to see which one works better for your setup.

Chapter I  - Preparation


In Chapter I  of this series of articles we would get a quick overview and basic info analysis of the OS system level, the traffic we are about to monitor and a quick/basic Suricata installation . We would also do a initial set up and prep of the system and the network card.

System's HW

CPU: One Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (16 cores counting Hyperthreading)
root@suricata:/# cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 45
model name      : Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz
stepping        : 7
microcode       : 0x70b
cpu MHz         : 2701.000
cache size      : 20480 KB
physical id     : 0
siblings        : 16
Memory: 64GB - 1600 MHz
root@suricata:~# cat /proc/meminfo
MemTotal:       65951532 kB
MemFree:        22508716 kB
Buffers:            1028 kB
Cached:          2251136 kB
SwapCached:            0 kB
Network Card: Intel 82599EB 10-Gigabit SFI/SFP+
 04:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01)
        Subsystem: Intel Corporation Ethernet Server Adapter X520-2
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0, Cache Line Size: 64 bytes
        Interrupt: pin A routed to IRQ 34
        Region 0: Memory at fbc20000 (64-bit, non-prefetchable) [size=128K]
        Region 2: I/O ports at e020 [size=32]
        Region 4: Memory at fbc44000 (64-bit, non-prefetchable) [size=16K]
        Capabilities: [40] Power Management version 3

System's OS

64 bit Ubuntu LTS 12.04.3
root@suricata:/# uname -a
Linux suricata 3.2.0-39-generic #62-Ubuntu SMP Thu Feb 28 00:28:53 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Suricata

We will use the current dev version of Suricata - 2.0dev (rev 92568c3) - at the moment of this writing.


Network Traffic


There is no traffic alike.
Make sure you carefully analyze and select your HW (CPU, network cards,RAM, HDD, PCI bus type and speed) and deployment needs (which and what type of rules/rule set are you going to use).
Make sure you have an idea of how are you going to mirror the traffic. A good article on the subject of using a Network Tap or Port Mirror can be found HERE.
Make sure you know and analyze/investigate/profile for what kind of traffic/protocols, network and users/organization you will be doing the deployment.

It is important to point out that this is a set up for 10Gbps of traffic IDS monitoring of an ISP (Internet Service Provider) type of network backbone traffic.

Some of the tools you could use to get an idea of the traffic and necessary for the configuration part:

 apt-get install ethtool bwm-ng iptraf

type bwm-ng  , hit enter:

then press d:





tcpstat -i eth3  -o  "Time:%S\tn=%n\tavg=%a\tstddev=%d\tbps=%b\n"  1
(substitute eth3 with your interface):


Or  from the man pages of tcpstat that would mean:

n - %n' the number of packets
agv - %a' the average packet size in bytes
stddev - %d' the standard deviation of the size of each packet in bytes
bps - %b' the number of bits per second
-o - output format
1 - poll every 1 second
About 1.5 mpps (million packets per second )




iptraf - you could have  a look around:
"statistical breakdowns" and "detailed interface statistics" -> TCP/UDP port, packet size, then sort









NOTICE: (None of the above 3 would work in DNA mode config and installation while Suricata is running on the same interface, explained/described in a later chapter)


Packages installation

General packages needed:
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make flex bison git git-core subversion libmagic-dev

For MD5 support(file extraction):
apt-get install libnss3-dev libnspr4-dev

For GeoIP:
apt-get install libgeoip1 libgeoip-dev

 Network and system  tools:
apt-get install ethtool bwm-ng iptraf htop



Installation and configuration 


Suricata

Get the latest Suricata dev branch:
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ &&  git clone https://github.com/ironbee/libhtp.git -b 0.5.x
 Compile and install
 ./autogen.sh &&  ./configure --enable-geoip \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean && sudo make && sudo make install && sudo ldconfig
NOTICE: If this is your first time installing Suricata make sure you do some basic setup tasks - rule downloads, directory set up, network range configuration  - as described here. (or you can just use && sudo make install-full instead of && sudo make install above)

We will do a specific set up later in the articles , but you do need to have the basic set up done before.


Verify everything is in place , you can execute the following commands:
which suricata
suricata --build-info
ldd `which suricata`


 Network card drivers and tuning

Our card is Intel 82599EB 10-Gigabit SFI/SFP+


rmmod ixgbe
sudo modprobe ixgbe FdirPballoc=3
ifconfig eth3 up
then (we disable irqbalance and make sure it does not enable itself during reboot)
 killall irqbalance
 service irqbalance stop

 apt-get install chkconfig
 chkconfig irqbalance off
Get the Intel network driver form here (we will use them in a second) - https://downloadcenter.intel.com/default.aspx

 Download to your directory of choice then unzip,compile and install:
 tar -zxf ixgbe-3.18.7.tar.gz
 cd /home/pevman/ixgbe-3.18.7/src
 make clean && make && make install
Set irq affinity - do not forget to change eth3  below with the name of the network interface you are using:
 cd ../scripts/
 ./set_irq_affinity  eth3


 You should see something like this:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ./set_irq_affinity  eth3
no rx vectors found on eth3
no tx vectors found on eth3
eth3 mask=1 for /proc/irq/101/smp_affinity
eth3 mask=2 for /proc/irq/102/smp_affinity
eth3 mask=4 for /proc/irq/103/smp_affinity
eth3 mask=8 for /proc/irq/104/smp_affinity
eth3 mask=10 for /proc/irq/105/smp_affinity
eth3 mask=20 for /proc/irq/106/smp_affinity
eth3 mask=40 for /proc/irq/107/smp_affinity
eth3 mask=80 for /proc/irq/108/smp_affinity
eth3 mask=100 for /proc/irq/109/smp_affinity
eth3 mask=200 for /proc/irq/110/smp_affinity
eth3 mask=400 for /proc/irq/111/smp_affinity
eth3 mask=800 for /proc/irq/112/smp_affinity
eth3 mask=1000 for /proc/irq/113/smp_affinity
eth3 mask=2000 for /proc/irq/114/smp_affinity
eth3 mask=4000 for /proc/irq/115/smp_affinity
eth3 mask=8000 for /proc/irq/116/smp_affinity
root@suricata:/home/pevman/ixgbe-3.18.7/scripts#
Now we have the latest drivers installed (at the time of this writing) and we have run the affinity script:
   *-network:1
       description: Ethernet interface
       product: 82599EB 10-Gigabit SFI/SFP+ Network Connection
       vendor: Intel Corporation
       physical id: 0.1
       bus info: pci@0000:04:00.1
       logical name: eth3
       version: 01
       serial: 00:e0:ed:19:e3:e1
       width: 64 bits
       clock: 33MHz
       capabilities: pm msi msix pciexpress vpd bus_master cap_list ethernet physical fibre
       configuration: autonegotiation=off broadcast=yes driver=ixgbe driverversion=3.18.7 duplex=full firmware=0x800000cb latency=0 link=yes multicast=yes port=fibre promiscuous=yes
       resources: irq:37 memory:fbc00000-fbc1ffff ioport:e000(size=32) memory:fbc40000-fbc43fff memory:fa700000-fa7fffff memory:fa600000-fa6fffff



We need to disable all offloading on the network card in order for the IDS to be able to see the traffic as it is supposed to be (without checksums,tcp-segmentation-offloading and such..) Otherwise your IDPS would not be able to see all "natural" network traffic the way it is supposed to and will not inspect it properly.

This would influence the correctness of ALL outputs including file extraction. So make sure all offloading features are OFF !



When you first install the drivers and card your offloading settings might look like this:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -k eth3
Offload parameters for eth3:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: on
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: on
root@suricata:/home/pevman/ixgbe-3.18.7/scripts#

So we disable all of them, like so (and we load balance the UDP flows for that particular network card):

ethtool -K eth3 tso off
ethtool -K eth3 gro off
ethtool -K eth3 lro off
ethtool -K eth3 gso off
ethtool -K eth3 rx off
ethtool -K eth3 tx off
ethtool -K eth3 sg off
ethtool -K eth3 rxvlan off
ethtool -K eth3 txvlan off
ethtool -N eth3 rx-flow-hash udp4 sdfn
ethtool -N eth3 rx-flow-hash udp6 sdfn
ethtool -n eth3 rx-flow-hash udp6
ethtool -n eth3 rx-flow-hash udp4
ethtool -C eth3 rx-usecs 1000
ethtool -C eth3 adaptive-rx off

Your output should look something like this:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 tso off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 gro off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 lro off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 gso off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 rx off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 tx off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 sg off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 rxvlan off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 txvlan off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -N eth3 rx-flow-hash udp4 sdfn
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -N eth3 rx-flow-hash udp6 sdfn
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -n eth3 rx-flow-hash udp6
UDP over IPV6 flows use these fields for computing Hash flow key:
IP SA
IP DA
L4 bytes 0 & 1 [TCP/UDP src port]
L4 bytes 2 & 3 [TCP/UDP dst port]

root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -n eth3 rx-flow-hash udp4
UDP over IPV4 flows use these fields for computing Hash flow key:
IP SA
IP DA
L4 bytes 0 & 1 [TCP/UDP src port]
L4 bytes 2 & 3 [TCP/UDP dst port]

root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -C eth3 rx-usecs 1000
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -C eth3 adaptive-rx off

Now we doublecheck and run ethtool again to verify that the offloading is OFF:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -k eth3
Offload parameters for eth3:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off

So in general we are done with the preparation of the system. The next chapter will explain PF_RING / DNA specific configuration in the suricata.yaml and the system in general.



by Peter Manev (noreply@blogger.com) at December 11, 2013 03:46 AM

December 10, 2013

Peter Manev

Suricata (and the grand slam of) Open Source IDPS - Chapter III - AF_PACKET

Introduction


This is Chapter III - AF_PACKET of a series of articles about high performance  and advance tuning of Suricata IDPS

This article will consist of series of instructions on setting up and configuring Suricata IDPS with  AF_PACKET for a 10Gbps traffic interface monitoring.



Chapter III - AF_PACKET

AF_PACKET works "out of the box " with Suricata. Please make sure your kernel level is at least 3.2 in order to get the best results.

Once you have followed all the steps in Chapter I - Preparation  The only thing left to do is adjust the suricata.yaml settings.


AF_PACKET - suricata.yaml tune up and configuration




NOTE:
AF_PACKET - Which kernel version not to use with Suricata in AF_PACKET mode
(thanks to Regit)


We make sure we use runmode workers (feel free to try other modes and experiment what is best for your specific set up):
#runmode: autofp
runmode: workers


Adjust the packet size:
# Preallocated size for packet. Default is 1514 which is the classical
# size for pcap on ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
default-packet-size: 1520


Use custom profile in detect-engine with a lot more groups (high gives you about 15 groups per variable, but you can customize as needed depending on the network ranges you monitor ):
detect-engine:
  - profile: custom
  - custom-values:
      toclient-src-groups: 200
      toclient-dst-groups: 200
      toclient-sp-groups: 200
      toclient-dp-groups: 300
      toserver-src-groups: 200
      toserver-dst-groups: 400
      toserver-sp-groups: 200
      toserver-dp-groups: 250
  - sgh-mpm-context: full
  - inspection-recursion-limit: 3000


Adjust your defrag settings:
# Defrag settings:
defrag:
  memcap: 512mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep
  prealloc: yes
  timeout: 30



Adjust your flow settings:
flow:
  memcap: 1gb
  hash-size: 1048576
  prealloc: 1048576
  emergency-recovery: 30


Adjust your per protocol timeout values:
flow-timeouts:

  default:
    new: 3
    established: 30
    closed: 0
    emergency-new: 10
    emergency-established: 10
    emergency-closed: 0
  tcp:
    new: 6
    established: 100
    closed: 12
    emergency-new: 1
    emergency-established: 5
    emergency-closed: 2
  udp:
    new: 3
    established: 30
    emergency-new: 3
    emergency-established: 10
  icmp:
    new: 3
    established: 30
    emergency-new: 1
    emergency-established: 10



Adjust your stream engine settings:
stream:
  memcap: 16gb
  checksum-validation: no      # reject wrong csums
  prealloc-sesions: 500000     #per thread
  midstream: true
  asyn-oneside: true
  inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 20gb
    depth: 12mb                  # reassemble 12mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10


Make sure you enable suricata.log for troubleshooting if something goes wrong:
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: /var/log/suricata/suricata.log



The AF_PACKET section:
af-packet:
  - interface: eth3
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    threads: 16
    # Default clusterid.  AF_PACKET will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    cluster-id: 98
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_round_robin: round robin load balancing
    #  * cluster_flow: all packets of a given flow are send to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
    cluster-type: cluster_cpu
    # In some fragmentation case, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: no
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    use-mmap: yes
    # Ring size will be computed with respect to max_pending_packets and number
    # of threads. You can set manually the ring size in number of packets by setting
    # the following value. If you are using flow cluster-type and have really network
    # intensive single-flow you could want to set the ring-size independantly of the number
    # of threads:
    ring-size: 200000
    # On busy system, this could help to set it to yes to recover from a packet drop
    # phase. This will result in some packets (at max a ring flush) being non treated.
    #use-emergency-flush: yes
    # recv buffer size, increase value could improve performance
    # buffer-size: 100000
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - kernel: use indication sent by kernel for each packet (default)
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used.
    # Warning: 'checksum-validation' must be set to yes to have any validation
    checksum-checks: kernel
    # BPF filter to apply to this interface. The pcap filter syntax apply here.
    #bpf-filter: port 80 or udp
   



We had these rules enabled:
rule-files:
   - trojan.rules
   - md5.rules # 134 000 specially selected file md5s
   - dns.rules
   - malware.rules
   - local.rules
   - current_events.rules
   -  mobile_malware.rules
   - user_agents.rules 



Make sure you adjust your Network and Port variables:
  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[ HOME NET HERE ]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: "$EXTERNAL_NET"

    DNP3_SERVER: "$HOME_NET"

    DNP3_CLIENT: "$HOME_NET"

    MODBUS_CLIENT: "$HOME_NET"

    MODBUS_SERVER: "$HOME_NET"

    ENIP_CLIENT: "$HOME_NET"

    ENIP_SERVER: "$HOME_NET"

  # Holds the port group vars that would be passed in a Signature.
  # These would be retrieved during the Signature port parsing stage.
  port-groups:

    HTTP_PORTS: "80"

    SHELLCODE_PORTS: "!80"

    ORACLE_PORTS: 1521

    SSH_PORTS: 22

    DNP3_PORTS: 20000


Your app parsers:
# Holds details on the app-layer. The protocols section details each protocol.
# Under each protocol, the default value for detection-enabled and "
# parsed-enabled is yes, unless specified otherwise.
# Each protocol covers enabling/disabling parsers for all ipprotos
# the app-layer protocol runs on.  For example "dcerpc" refers to the tcp
# version of the protocol as well as the udp version of the protocol.
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
# "yes" enables both detection and the parser, "no" disables both, and
# "detection-only" enables detection only(parser disabled).
app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        tcp:
          toserver: 443

      #no-reassemble: yes
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        tcp:
          toserver: 139
    # smb2 detection is disabled internally inside the engine.
    #smb2:
    #  enabled: yes
    dnstcp:
       enabled: yes
       detection-ports:
         tcp:
           toserver: 53
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
    http:
      enabled: yes


Libhtp body limits:
      libhtp:

         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 12mb
           response-body-limit: 12mb

           # inspection limits
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 32kb
           response-body-inspect-window: 4kb



Run it

 /usr/local/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=eth3 -D -v



Results


We take a look at the suricata.log file:
[13915] 4/12/2013 -- 15:38:15 - (suricata.c:962) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev e7f6107)
[13915] 4/12/2013 -- 15:38:15 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 16
[13915] 4/12/2013 -- 15:38:15 - (app-layer-dns-udp.c:315) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[13915] 4/12/2013 -- 15:38:15 - (util-ioctl.c:99) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'eth3'
[13915] 4/12/2013 -- 15:38:15 - (defrag-hash.c:212) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[13915] 4/12/2013 -- 15:38:15 - (defrag-hash.c:237) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 152
[13915] 4/12/2013 -- 15:38:15 - (defrag-hash.c:244) <Info> (DefragInitConfig) -- defrag memory usage: 13631336 bytes, maximum: 536870912
[13915] 4/12/2013 -- 15:38:15 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[13916] 4/12/2013 -- 15:38:15 - (tmqh-packetpool.c:142) <Info> (PacketPoolInit) -- preallocated 2048 packets. Total memory 7151616
[13916] 4/12/2013 -- 15:38:15 - (host.c:205) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[13916] 4/12/2013 -- 15:38:15 - (host.c:228) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 112
[13916] 4/12/2013 -- 15:38:15 - (host.c:230) <Info> (HostInitConfig) -- host memory usage: 390144 bytes, maximum: 16777216
[13916] 4/12/2013 -- 15:38:15 - (flow.c:386) <Info> (FlowInitConfig) -- allocated 67108864 bytes of memory for the flow hash... 1048576 buckets of size 64
[13916] 4/12/2013 -- 15:38:15 - (flow.c:410) <Info> (FlowInitConfig) -- preallocated 1048576 flows of size 280
[13916] 4/12/2013 -- 15:38:15 - (flow.c:412) <Info> (FlowInitConfig) -- flow memory usage: 369098752 bytes, maximum: 1073741824
[13916] 4/12/2013 -- 15:38:15 - (reputation.c:459) <Info> (SRepInit) -- IP reputation disabled
[13916] 4/12/2013 -- 15:38:15 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/share/file/magic
[13916] 4/12/2013 -- 15:38:15 - (suricata.c:1769) <Info> (SetupDelayedDetect) -- Delayed detect disabled
[13916] 4/12/2013 -- 15:38:17 - (detect-filemd5.c:275) <Info> (DetectFileMd5Parse) -- MD5 hash size 2143616 bytes


...8 rule files, 7947 rules loaded
[13916] 4/12/2013 -- 15:38:17 - (detect.c:453) <Info> (SigLoadSignatures) -- 8 rule files processed. 7947 rules successfully loaded, 0 rules failed
[13916] 4/12/2013 -- 15:38:17 - (detect.c:2568) <Info> (SigAddressPrepareStage1) -- 7947 signatures processed. 1 are IP-only rules, 1976 are inspecting packet payload, 6714 inspect application laye
r, 0 are decoder event only
[13916] 4/12/2013 -- 15:38:17 - (detect.c:2571) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[13916] 4/12/2013 -- 15:38:17 - (detect.c:3194) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[13916] 4/12/2013 -- 15:39:51 - (detect.c:3836) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[13916] 4/12/2013 -- 15:39:51 - (util-threshold-config.c:1186) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[13916] 4/12/2013 -- 15:39:51 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[13916] 4/12/2013 -- 15:39:51 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[13916] 4/12/2013 -- 15:39:51 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized: http.log
[13916] 4/12/2013 -- 15:39:51 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- tls-log output device (regular) initialized: tls.log
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "management-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:265) <Info> (AffinitySetupLoadFromConfig) -- Using default prio 'low'
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "receive-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "decode-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "stream-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "detect-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:265) <Info> (AffinitySetupLoadFromConfig) -- Using default prio 'high'
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "verdict-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:265) <Info> (AffinitySetupLoadFromConfig) -- Using default prio 'high'
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "reject-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:265) <Info> (AffinitySetupLoadFromConfig) -- Using default prio 'low'
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:217) <Info> (AffinitySetupLoadFromConfig) -- Found affinity definition for "output-cpu-set"
[13916] 4/12/2013 -- 15:39:51 - (util-affinity.c:265) <Info> (AffinitySetupLoadFromConfig) -- Using default prio 'medium'
[13916] 4/12/2013 -- 15:39:51 - (runmode-af-packet.c:200) <Info> (ParseAFPConfig) -- Enabling mmaped capture on iface eth3
[13916] 4/12/2013 -- 15:39:51 - (runmode-af-packet.c:268) <Info> (ParseAFPConfig) -- Using cpu cluster mode for AF_PACKET (iface eth3)
[13916] 4/12/2013 -- 15:39:51 - (util-runmodes.c:545) <Info>


...going to use 16 threads:
(RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s)
[13918] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 0
[13918] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth31" Module to cpu/core 0, thread id 13918
[13918] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13918] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13919] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 1
[13919] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth32" Module to cpu/core 1, thread id 13919
[13919] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13919] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13920] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 2
[13920] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth33" Module to cpu/core 2, thread id 13920
[13920] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13920] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13921] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 3
[13921] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth34" Module to cpu/core 3, thread id 13921
[13921] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13921] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13922] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 4
[13922] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth35" Module to cpu/core 4, thread id 13922
[13922] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13922] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13923] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 5
[13923] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth36" Module to cpu/core 5, thread id 13923
[13923] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13923] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13924] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 6
[13924] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth37" Module to cpu/core 6, thread id 13924
[13924] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13924] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13925] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 7
[13925] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth38" Module to cpu/core 7, thread id 13925
[13925] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13925] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13926] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 8
[13926] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth39" Module to cpu/core 8, thread id 13926
[13926] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13926] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13927] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 9
[13927] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth310" Module to cpu/core 9, thread id 13927
[13927] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13927] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13928] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 10
[13928] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth311" Module to cpu/core 10, thread id 13928
[13928] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13928] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13929] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 11
[13929] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth312" Module to cpu/core 11, thread id 13929
[13929] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13929] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13930] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 12
[13930] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth313" Module to cpu/core 12, thread id 13930
[13930] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13930] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13931] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 13
[13931] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth314" Module to cpu/core 13, thread id 13931
[13931] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13931] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13932] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 14
[13932] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth315" Module to cpu/core 14, thread id 13932
[13932] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13932] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call
[13933] 4/12/2013 -- 15:39:51 - (util-affinity.c:319) <Info> (AffinityGetNextCPU) -- Setting affinity on CPU 15
[13933] 4/12/2013 -- 15:39:51 - (tm-threads.c:1332) <Info> (TmThreadSetupOptions) -- Setting prio -2 for "AFPacketeth316" Module to cpu/core 15, thread id 13933
[13933] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1554) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode
[13933] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1564) <Info> (ReceiveAFPThreadInit) -- Enabling zero copy mode by using data release call


...reading in some  memory settings from yaml:
[13916] 4/12/2013 -- 15:39:51 - (runmode-af-packet.c:529) <Info> (RunModeIdsAFPWorkers) -- RunModeIdsAFPWorkers initialised
[13934] 4/12/2013 -- 15:39:51 - (tm-threads.c:1338) <Info> (TmThreadSetupOptions) -- Setting prio 2 for "FlowManagerThread" thread , thread id 13934
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:376) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 375000 (per thread)
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:392) <Info> (StreamTcpInitConfig) -- stream "memcap": 17179869184
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:398) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: enabled
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:404) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:421) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": disabled
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:443) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:456) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:474) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 21474836480
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:492) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 12582912
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:575) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2671
[13916] 4/12/2013 -- 15:39:51 - (stream-tcp.c:577) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2582
[13935] 4/12/2013 -- 15:39:51 - (tm-threads.c:1338) <Info> (TmThreadSetupOptions) -- Setting prio 2 for "SCPerfWakeupThread" thread , thread id 13935
[13936] 4/12/2013 -- 15:39:51 - (tm-threads.c:1338) <Info> (TmThreadSetupOptions) -- Setting prio 2 for "SCPerfMgmtThread" thread , thread id 13936
[13916] 4/12/2013 -- 15:39:51 - (tm-threads.c:2191) <Notice> (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, 3 management threads initialized, engine started.


....have  a look - Suricata detects if OFFloading (discussed in  Chapter I - Preparation) is used on the network interface:
[13918] 4/12/2013 -- 15:39:51 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13918] 4/12/2013 -- 15:39:51 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13918] 4/12/2013 -- 15:39:51 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13918] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 8
[13918] 4/12/2013 -- 15:39:52 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth31 using socket 8
[13919] 4/12/2013 -- 15:39:52 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13919] 4/12/2013 -- 15:39:52 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13919] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13919] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 9
[13919] 4/12/2013 -- 15:39:52 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth32 using socket 9
[13920] 4/12/2013 -- 15:39:52 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13920] 4/12/2013 -- 15:39:52 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13920] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13920] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 10
[13920] 4/12/2013 -- 15:39:52 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth33 using socket 10
[13921] 4/12/2013 -- 15:39:52 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13921] 4/12/2013 -- 15:39:52 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13921] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13921] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 11
[13921] 4/12/2013 -- 15:39:52 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth34 using socket 11
[13922] 4/12/2013 -- 15:39:52 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13922] 4/12/2013 -- 15:39:52 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13922] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13922] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 12
[13922] 4/12/2013 -- 15:39:52 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth35 using socket 12
[13923] 4/12/2013 -- 15:39:52 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13923] 4/12/2013 -- 15:39:52 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13923] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13923] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 13
[13923] 4/12/2013 -- 15:39:52 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth36 using socket 13
[13924] 4/12/2013 -- 15:39:52 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13924] 4/12/2013 -- 15:39:52 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13924] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13924] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 14
[13924] 4/12/2013 -- 15:39:52 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth37 using socket 14
[13925] 4/12/2013 -- 15:39:52 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13925] 4/12/2013 -- 15:39:52 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13925] 4/12/2013 -- 15:39:52 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13925] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 15
[13925] 4/12/2013 -- 15:39:53 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth38 using socket 15
[13926] 4/12/2013 -- 15:39:53 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13926] 4/12/2013 -- 15:39:53 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13926] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13926] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 16
[13926] 4/12/2013 -- 15:39:53 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth39 using socket 16
[13927] 4/12/2013 -- 15:39:53 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13927] 4/12/2013 -- 15:39:53 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13927] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13927] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 17
[13927] 4/12/2013 -- 15:39:53 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth310 using socket 17
[13928] 4/12/2013 -- 15:39:53 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13928] 4/12/2013 -- 15:39:53 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13928] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13928] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 18
[13928] 4/12/2013 -- 15:39:53 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth311 using socket 18
[13929] 4/12/2013 -- 15:39:53 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13929] 4/12/2013 -- 15:39:53 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13929] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13929] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 19
[13929] 4/12/2013 -- 15:39:53 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth312 using socket 19
[13930] 4/12/2013 -- 15:39:53 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13930] 4/12/2013 -- 15:39:53 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13930] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13930] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 20
[13930] 4/12/2013 -- 15:39:53 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth313 using socket 20
[13931] 4/12/2013 -- 15:39:53 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13931] 4/12/2013 -- 15:39:53 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13931] 4/12/2013 -- 15:39:53 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13931] 4/12/2013 -- 15:39:54 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 21
[13931] 4/12/2013 -- 15:39:54 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth314 using socket 21
[13932] 4/12/2013 -- 15:39:54 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13932] 4/12/2013 -- 15:39:54 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13932] 4/12/2013 -- 15:39:54 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13932] 4/12/2013 -- 15:39:54 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 22
[13932] 4/12/2013 -- 15:39:54 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth315 using socket 22
[13933] 4/12/2013 -- 15:39:54 - (util-ioctl.c:175) <Info> (GetIfaceOffloading) -- Generic Receive Offload is unset on eth3
[13933] 4/12/2013 -- 15:39:54 - (util-ioctl.c:194) <Info> (GetIfaceOffloading) -- Large Receive Offload is unset on eth3
[13933] 4/12/2013 -- 15:39:54 - (source-af-packet.c:1189) <Info> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=10001 frame_size=1584 frame_nr=200020
[13933] 4/12/2013 -- 15:39:54 - (source-af-packet.c:1380) <Info> (AFPCreateSocket) -- Using interface 'eth3' via socket 23
[13933] 4/12/2013 -- 15:39:54 - (source-af-packet.c:439) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
[13933] 4/12/2013 -- 15:39:54 - (source-af-packet.c:988) <Info> (ReceiveAFPLoop) -- Thread AFPacketeth316 using socket 23



htop - Now that we have been up  and running for a while (6-7 hrs) on a 10Gbps link ( 9.3 Gbps traffic - to be precise - at the moment of these statistics):




we have about 1-2% drops in total (on 7947 rules):





and then after 13 hrs:





we still have 1-2% drops
(1.897% to be precise - total kernel drops 1 337 487 757 out of total packets 70 491 114 835 is 1.897%) :




And that is just half the job done on Suricata's high performance tuning. Before you arrive at this point  there is much more work to be done - pre-study, HW choice, rule selection and tuning, traffic analysis , office/organization needs analysis, network location design and deployment, testing/PoCs and  more...

Upcoming - Chapter IV - Logstash / Kibana / Elasticsearch





by Peter Manev (noreply@blogger.com) at December 10, 2013 08:57 AM

November 18, 2013

Eric Leblond

Using linux perf tools for Suricata performance analysis

Introduction

Perf is a great tool to analyse performances on Linux boxes. For example, perf top will give you this type of output on a box running Suricata on a high speed network: 

Events: 32K cycles                                                                                                                                                                                                                            
 28.41%  suricata            [.] SCACSearch
 19.86%  libc-2.15.so        [.] tolower
 17.83%  suricata            [.] SigMatchSignaturesBuildMatchArray
  6.11%  suricata            [.] SigMatchSignaturesBuildMatchArrayAddSignature
  2.06%  suricata            [.] tolower@plt
  1.70%  libpthread-2.15.so  [.] pthread_mutex_trylock
  1.17%  suricata            [.] StreamTcpGetFlowState
  1.10%  libc-2.15.so        [.] __memcpy_ssse3_back
  0.90%  libpthread-2.15.so  [.] pthread_mutex_lock

The functions are sorted by CPU consumption. Using arrow key it is possible to jump into the annotated code to see where most CPU cycles are used.

This is really useful but in the case of a function like pthread_mutex_trylock, the interesting part is to be able to find where this function is called.

Getting function call graph in perf

This stack overflow question lead me to the solution.

I’ve started to build suricata with the -fno-omit-frame-pointer option:

./configure --enable-pfring --enable-luajit CFLAGS="-fno-omit-frame-pointer"
make
make install

Once suricata was restarted (with pid being 9366), I was then able to record the data:

sudo perf record -a --call-graph -p 9366

Extracting the call graph was then possible by running:

sudo perf report --call-graph --stdio
The result is a huge detailed report. For example, here’s the part on pthread_mutex_lock: 
     0.94%  Suricata-Main  libpthread-2.15.so     [.] pthread_mutex_lock
            |
            --- pthread_mutex_lock
               |
               |--48.69%-- FlowHandlePacket
               |          |
               |          |--53.04%-- DecodeUDP
               |          |          |
               |          |          |--95.84%-- DecodeIPV4
               |          |          |          |
               |          |          |          |--99.97%-- DecodeVLAN
               |          |          |          |          DecodeEthernet
               |          |          |          |          DecodePfring
               |          |          |          |          TmThreadsSlotVarRun
               |          |          |          |          TmThreadsSlotProcessPkt
               |          |          |          |          ReceivePfringLoop
               |          |          |          |          TmThreadsSlotPktAcqLoop
               |          |          |          |          start_thread
               |          |          |           --0.03%-- [...]
               |          |          |
               |          |           --4.16%-- DecodeIPV6
               |          |                     |
               |          |                     |--97.59%-- DecodeTunnel
               |          |                     |          |
               |          |                     |          |--99.18%-- DecodeTeredo
               |          |                     |          |          DecodeUDP
               |          |                     |          |          DecodeIPV4
               |          |                     |          |          DecodeVLAN
               |          |                     |          |          DecodeEthernet
               |          |                     |          |          DecodePfring
               |          |                     |          |          TmThreadsSlotVarRun
               |          |                     |          |          TmThreadsSlotProcessPkt
               |          |                     |          |          ReceivePfringLoop
               |          |                     |          |          TmThreadsSlotPktAcqLoop
               |          |                     |          |          start_thread
               |          |                     |          |
               |          |                     |           --0.82%-- DecodeIPV4
               |          |                     |                     DecodeVLAN
               |          |                     |                     DecodeEthernet
               |          |                     |                     DecodePfring
               |          |                     |                     TmThreadsSlotVarRun
               |          |                     |                     TmThreadsSlotProcessPkt
               |          |                     |                     ReceivePfringLoop
               |          |                     |                     TmThreadsSlotPktAcqLoop
               |          |                     |                     start_thread
               |          |                     |
               |          |                      --2.41%-- DecodeIPV6
               |          |                                DecodeTunnel
               |          |                                DecodeTeredo
               |          |                                DecodeUDP
               |          |                                DecodeIPV4
               |          |                                DecodeVLAN
               |          |                                DecodeEthernet
               |          |                                DecodePfring
               |          |                                TmThreadsSlotVarRun
               |          |                                TmThreadsSlotProcessPkt
               |          |                                ReceivePfringLoop
               |          |                                TmThreadsSlotPktAcqLoop
               |          |                                start_thread

by Regit at November 18, 2013 12:59 PM

November 07, 2013

Victor Julien

Suricata profiling per keyword

Last week I’ve added some more profiling options to Suricata. It’s part of the current git master. It’s enabled only when --enable-profiling and then through the suricata.yaml:

profiling:
  # per keyword profiling
  keywords:
    enabled: yes
    filename: keyword_perf.log
    append: yes

This will output a table similar to below:

--------------------------------------------------------------------------
Date: 11/7/2013 -- 15:13:11
--------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
threshold        355324491   190574   409      72276       1864.00     3625.00     1860.00    
content          1274592063  534328   196738   312321      2385.00     2424.00     2362.00    
pcre             56626031    11149    824      254562      5079.00     12234.00    4507.00    
byte_test        153287955   128254   32109    67989       1195.00     1658.00     1040.00    
byte_jump        3676404     2041     2041     15939       1801.00     1801.00     0.00       
flow             38276182    22842    22842    63987       1675.00     1675.00     0.00       
isdataat         580764      558      556      2427        1040.00     1040.00     1017.00    
dsize            2212029     2062     2061     3711        1072.00     1072.00     789.00     
flowbits         1677209     874      870      9873        1919.00     1923.00     884.00     
itype            1653        2        1        1386        826.00      267.00      1386.00    
icode            27383781    93827    2        25545       291.00      1021.00     291.00     
flags            192751968   245519   189709   255639      785.00      753.00      892.00     
urilen           6149297     6142     1099     28299       1001.00     1395.00     915.00     
byte_extract     143091      78       78       7743        1834.00     1834.00     0.00       
--------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
flow             38276182    22842    22842    63987       1675.00     1675.00     0.00       
dsize            2212029     2062     2061     3711        1072.00     1072.00     789.00     
flowbits         351171      294      290      5526        1194.00     1198.00     884.00     
itype            1653        2        1        1386        826.00      267.00      1386.00    
icode            27383781    93827    2        25545       291.00      1021.00     291.00     
flags            192751968   245519   189709   255639      785.00      753.00      892.00     
--------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
content          1203990910  512902   183628   312321      2347.00     2365.00     2337.00    
pcre             28087301    6598     54       254562      4256.00     12279.00    4190.00    
byte_test        153287955   128254   32109    67989       1195.00     1658.00     1040.00    
byte_jump        3676404     2041     2041     15939       1801.00     1801.00     0.00       
isdataat         578172      556      554      2427        1039.00     1039.00     1017.00    
byte_extract     143091      78       78       7743        1834.00     1834.00     0.00       
--------------------------------------------------------------------------
Stats for: http uri
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
content          44775802    13102    8351     60993       3417.00     3257.00     3698.00    
pcre             18284421    3646     97       61338       5014.00     8916.00     4908.00    
isdataat         2592        2        2        1725        1296.00     1296.00     0.00       
urilen           6149297     6142     1099     28299       1001.00     1395.00     915.00     
--------------------------------------------------------------------------
Stats for: http raw uri
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
pcre             9534        2        0        4953        4767.00     0.00        4767.00    
--------------------------------------------------------------------------
Stats for: http client body
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
content          1556904     441      181      58476       3530.00     2874.00     3986.00    
pcre             63924       6        6        17358       10654.00    10654.00    0.00       
--------------------------------------------------------------------------
Stats for: http headers
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
content          23688244    7631     4348     31098       3104.00     3311.00     2829.00    
pcre             9998970     859      667      71904       11640.00    12727.00    7862.00    
--------------------------------------------------------------------------
Stats for: http stat code
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
content          80052       39       20       3699        2052.00     2199.00     1898.00    
--------------------------------------------------------------------------
Stats for: http method
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
content          476334      203      201      27240       2346.00     2351.00     1846.00    
--------------------------------------------------------------------------
Stats for: http cookie
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
content          23817       10       9        2763        2381.00     2384.00     2358.00    
pcre             181881      38       0        13095       4786.00     0.00        4786.00    
--------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
flowbits         1326038     580      580      9873        2286.00     2286.00     0.00       
--------------------------------------------------------------------------
Stats for: threshold
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
threshold        355324491   190574   409      72276       1864.00     3625.00     1860.00

The first part has the totals for all keywords. After this the stats are broken down per buffer type.

Part of this work was sponsored by Emerging Threats.


by inliniac at November 07, 2013 02:40 PM

October 28, 2013

Eric Leblond

Logstash and Suricata for the old guys

Introduction

logstash an opensource tool for managing events and logs. It is using elasticsearch for the storage and has a really nice interface named Kibana. One of the easiest to use entry format is JSON.

Suricata is an IDS/IPS which has some interesting logging features. Version 2.0 will feature a JSON export for all logging subsystem. It will then be possible to output in JSON format:

  • HTTP log
  • DNS log
  • TLS log
  • File log
  • IDS Alerts
For now, only File log is available in JSON format. This extract meta data from files transferred over HTTP.

Peter Manev has described how to connect Logstash Kibana and Suricata JSON output. Installation is really simple, just download logstash from logstash website, write your configuration file and start the thing.

Kibana interface is really impressive: Kibana Screenshot

But at the time, I started to look at the document, a few things were missing:

  • Geoip is not supported
  • All fields containing space appear as multiple entries

Geoip support

This one was easy. You simply have to edit the logstash.conf file to add a section about geoip:

input {
  file { 
    path => "/home/eric/builds/suricata/var/log/suricata/files-json.log" 
    codec =>   json 
    # This format tells logstash to expect 'logstash' json events from the file.
    #format => json_event 
  }
}

output { 
  stdout { codec => rubydebug }
  elasticsearch { embedded => true }
}

#geoip part
filter {
  if [srcip] {
    geoip {
      source => "srcip"
      target => "geoip"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
  }
}

It adds a filter that check for presence of srcip and add geoip information to the entry. The tricky thing is the add_field part that create an array that has to be used when adding a map to kibana dashboard. See following screenshot for explanation: Creating new map in Kibana

You may have the following error: 

You must specify 'database => ...' in your geoip filter"

In this case, you need to specify the path to the geoip database by adding the database keyword to geoip configuration: 

#geoip part
filter {
  if [srcip] {
    geoip {
      source => "srcip"
      target => "geoip"
      database => "/path/to/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
  }
}

Once the file is written, you can start logstash 

java -jar /home/eric/builds/logstash/logstash-1.2.2-flatjar.jar agent -f /home/eric/builds/logstash/logstash.conf --log /home/eric/builds/logstash/log/logstash-indexer.out -- web

See Logstash Kibana and Suricata JSON output for detailed information on setup.

Logstash indexing and mapping

Fixing the space issue was far more complicated for an old guy like me. If finding the origin of the behavior is easy fixing it was more painful. A simple googling shows me that by default elasticsearch storage split string at spaces when indexing. To fix this, you have to specify that the field should not be analyzed during indexing: "index":"not_analyzed"

That was looking easy at first but logstash is not using a configuration file for indexing and mapping. In fact, you need to interact with elasticsearch via HTTP requests. Second problem is that the index are dynamically generated, so there is a template system that you can use to have indexes created the way you want.

Creating an template is easy. You simply do something like: 

curl -XPUT http://localhost:9200/_template/logstash_per_index -d '
{
    "template" : "logstash*",
    MAGIC HERE
}'

This will create a template that will be applied to all newly created indexes with name matching “logstash*”. The difficult part is to know what to to put in MAGIC HERE and to check if “logstash*” will match created index. To check this, you can retrieve all current mappings:

curl -XGET 'http://localhost:9200/_all/_mapping'

You then get a list of mappings and you can check the name. But best part is that you can get a base text to update the mapping definition part. With Suricata file log and geoip activated, the following configuration is working well: 

curl -XPUT http://localhost:9200/_template/logstash_per_index -d '
{
    "template" : "logstash*",
    "mappings" : {
      "logs" : {
         "properties": {
            "@timestamp":{"type":"date",
            "format":"dateOptionalTime"},
            "@version":{"type":"string"},
            "dp":{"type":"long"},
            "dstip":{"type":"ip"},
            "filename":{"type":"string"},
            "geoip":{
               "properties":{
                  "area_code":{"type":"long"},
                  "city_name":{"type":"string", "index":"not_analyzed"},
                  "continent_code":{"type":"string"},
                  "coordinates":{"type":"string"},
                  "country_code2":{"type":"string"},
                  "country_code3":{"type":"string"},
                  "country_name":{"type":"string", "index":"not_analyzed"},
                  "dma_code":{"type":"long"},
                  "ip":{"type":"string"},
                  "latitude":{"type":"double"},
                  "longitude":{"type":"double"},
                  "postal_code":{"type":"string"},
                  "real_region_name":{"type":"string", "index":"not_analyzed"},
                  "region_name":{"type":"string", "index":"not_analyzed"},
                  "timezone":{"type":"string"}
               }
            },
            "host":{"type":"string"},
            "http_host":{"type":"string"},
            "http_referer":{"type":"string"},
            "http_uri":{"type":"string"},
            "http_user_agent":{"type":"string", "index":"not_analyzed", "omit_norms":true, "index_options":"docs"},
            "ipver":{"type":"long"},
            "magic":{"type":"string", "index":"not_analyzed", "omit_norms":true, "index_options":"docs"},
            "md5":{"type":"string"},
            "path":{"type":"string"},
            "protocol":{"type":"long"},
            "size":{"type":"long"},
            "sp":{"type":"long"},
            "srcip":{"type":"ip"},
            "state":{"type":"string"},
            "stored":{"type":"boolean"},
            "tags":{"type":"string"},
            "timestamp":{"type":"string"}
      }
    }
  }
}'

I’ve added some “index”:”not_analyzed” and improved the type for some of the fields. For example, srcip has been defined as an IP address. This allow to do range searching in Kibana like 

["192.168.42.24" TO "192.168.42.45"]

Next point is to update the index format. To to so, you can get the name of current index, delete it and recreate it. To get the name you can use le mapping listing: 

curl -XGET 'http://localhost:9200/_all/_mapping'

The return is something like: 

{"logstash-2013.10.27":{"logs":{"properties":

So now, we can destroy this index named “logstash-2013.10.27″ and have it recreated with the correct settings:

curl -XDELETE 'http://localhost:9200/logstash-2013.10.27'
curl -XPUT 'http://localhost:9200/logstash-2013.10.27'
We need data to be reindexed so: 
curl -XGET 'http://localhost:9200/logstash-2013.10.27/_refresh'

It may also be a good idea to wait for new data as it seems to trigger update in what elasticsearch is sending.

by Regit at October 28, 2013 10:47 AM

October 15, 2013

suricata-ids.org

Save-the-Date – October 24, 2013

SURICATA
Workshop & Certification Series
hack.lu (www.hack.lu), Luxembourg

Join us as we work to launch our first Suricata Workshop event – join us!  During this day long event, your input will help to construct the prototype curriculum for the soon to be released Suricata Workshop Certification Series.

A unique opportunity for both end users and developers. The first half of the day will be a presentation of the curriculum framework; which is currently in development by the Suricata team.  The second half of the day will be a hands-on technical workshop.

Presenters will include Victor Julien, Matt Jonkman, Eric LeBlond, Anoop Saldanha and other members of the OISF/ Suricata team.

Further details will be sent out within the next few weeks.

Questions?  Feel free to reach to us at info@openinfosecfoundation.org.

Update 10/15: more info here: Join us at Hack.lu – October 21 – 25, 2013. Please register!


by inliniac at October 15, 2013 08:50 AM

October 10, 2013

Security Onion

Suricata 1.4.6 package now available

Suricata 1.4.6 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/183--suricata-146-released

I've packaged Suricata 1.4.6 and the new package has been tested by David Zawdie and JP Bourget.

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

The Suricata update will do the following:

  • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
  • update Suricata to 1.4.6

If you're running Suricata in production, then you'll need to do the following:

  • apply your local customizations to the new suricata.yaml
  • restart Suricata as follows:
    sudo nsm_sensor_ps-restart --only-snort-alert

Update process
suricata -V
Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

by Doug Burks (noreply@blogger.com) at October 10, 2013 11:24 PM

October 09, 2013

suricata-ids.org

Join us at Hack.lu – October 21 – 25, 2013

hackluPlease join the OISF and the Suricata development team at hack.lu for an exciting week of brainstorm meetings, technical talks, hackathons and the first Suricata workshop event.

The workshop will be day long event where with your expertise, we will construct the prototype for the soon to be released Suricata Workshop and Certification Series. All are open to technical and non-technical end users.

Please considering joining us in Luxemburg to make this meeting a success!

For more information and *free* registration to the OISF events please visit:
http://www.eventbrite.com/event/8567253887


by inliniac at October 09, 2013 01:01 PM

September 30, 2013

suricata-ids.org

Suricata 1.4.6 Windows Installer Available

The Windows MSI installer of the Suricata 1.4.6 release is now available. The installer is now signed.

Download it here: Suricata-1.4.6-1-32bit.msi

After downloading, double click the file to launch the installer.

If you have a previous version installed, please remove that first.


by inliniac at September 30, 2013 09:32 AM

September 27, 2013

Victor Julien

Attending Hack.lu with the Suricata team

hackluNext month I will be attending Hack.lu. The entire Suricata team will be present as well. We’ll be doing several meetings, including a training day on the 24th of October.

If you are close and interested in Suricata, please consider joining us. The training is free and does not require you to pay for the conference.


by inliniac at September 27, 2013 07:38 AM

September 26, 2013

suricata-ids.org

Daily Suricata Ubuntu PPA for the git master

We have created a new Ubuntu PPA that is updated daily to the current git master. This means it will always contain the latest fixes and features, fresh from our developers.

To use this PPA read our docs here. Naturally, as this is development code it may have serious bugs. So use with care.

If you’re using this PPA, updating is as simple as:

apt-get update && apt-get upgrade

The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.


by inliniac at September 26, 2013 07:43 AM

September 25, 2013

suricata-ids.org

Suricata Ubuntu PPA updated to 1.4.6

We have updated the official Ubuntu PPA to Suricata 1.4.6. To use this PPA read our docs here.

If you’re using this PPA, updating is as simple as:

apt-get update && apt-get upgrade

The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.


by inliniac at September 25, 2013 05:04 PM

September 24, 2013

Open Information Security Foundation

Suricata 1.4.6 released!

The OISF development team is pleased to announce Suricata 1.4.6. This is a small but important update over the 1.4.5 release, addressing some important issues.

Get the new release here: suricata-1.4.6.tar.gz

Fixes

  • Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
  • Bug 971: AC pattern matcher out of bounds memory read.
  • Bug 965: improve negated content handling. Reported by Will Metcalf.
  • Bug 937: fix IPv6-in-IPv6 decoding.
  • Bug 934: improve address parsing.
  • Bug 969: fix unified2 not logging tagged packets.

Special thanks

  • Sebastian Roschke
  • Will Metcalf

Security

  • CVE-2013-5919

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

by Victor Julien (postmaster@inliniac.net) at September 24, 2013 11:27 AM

suricata-ids.org

Suricata 1.4.6 released!

Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.6. This is a small but important update over the 1.4.5 release, addressing some important issues.

Get the new release here: suricata-1.4.6.tar.gz

Fixes

  • Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
  • Bug 971: AC pattern matcher out of bounds memory read.
  • Bug 965: improve negated content handling. Reported by Will Metcalf.
  • Bug 937: fix IPv6-in-IPv6 decoding.
  • Bug 934: improve address parsing.
  • Bug 969: fix unified2 not logging tagged packets.

Special thanks

  • Sebastian Roschke
  • Will Metcalf

Security

  • CVE-2013-5919

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


by inliniac at September 24, 2013 11:25 AM

September 20, 2013

Open Information Security Foundation

Save-the-Date – October 24, 2013

SURICATA

Workshop & Certification Series
hack.lu (www.hack.lu), Luxembourg

Join us as we work to launch our first Suricata Workshop event – join us!  During this day long event, your input will help to construct the prototype curriculum for the soon to be released Suricata Workshop Certification Series.

A unique opportunity for both end users and developers. The first half of the day will be a presentation of the curriculum framework; which is currently in development by the Suricata team.  The second half of the day will be a hands-on technical workshop.

Presenters will include Victor Julien, Matt Jonkman, Eric Leblond, Anoop Saldanha and other members of the OISF/ Suricata team.

Further details will be sent out within the next few weeks.

Questions?  Feel free to reach to us at info@openinfosecfoundation.org.

by Victor Julien (postmaster@inliniac.net) at September 20, 2013 02:20 PM

September 04, 2013

Security Onion

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 packages now available!

The following software was recently released:

PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/

Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html

Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/

I've packaged these new releases and the new packages have been tested by David Zawdie.  Thanks, David!

UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes
  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata


You'll then need to do the following:

  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:

sudo rule-update
Notes
One change that I've made to our normal Snort config is the PF_RING clustermode.  Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP.  So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests.  Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port.  So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster.  This results in more effective load balancing.

Screenshots
"sudo soup" upgrade process

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

by Doug Burks (noreply@blogger.com) at September 04, 2013 11:13 AM

July 28, 2013

suricata-ids.org

Suricata Ubuntu PPA updated to 1.4.5

We have updated the official Ubuntu PPA to Suricata 1.4.5. To use this PPA read our docs here.

If you’re using this PPA, updating is as simple as:

apt-get update && apt-get upgrade

The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.


by inliniac at July 28, 2013 06:43 PM

Suricata 1.4.5 Windows Installer Available

The Windows MSI installer of the Suricata 1.4.5 release is now available. The installer is now signed.

Download it here: Suricata-1.4.5-1-32bit.msi

After downloading, double click the file to launch the installer.

If you have a previous version installed, please remove that first.


by inliniac at July 28, 2013 06:42 PM

July 26, 2013

suricata-ids.org

Suricata 1.4.5 released!

Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.5. This is a small but important update over the 1.4.4 release, fixing some important bugs.

Get the new release here: suricata-1.4.5.tar.gz

Fixes

  • Bug #908: ipv6 extension header parsing issue causing Suricata to hang
  • Bug #906: icmp_seq and icmp_id keyword with icmpv6 traffic FP & FN

Special thanks

  • Prabhakaran Kasinathan

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


by inliniac at July 26, 2013 11:48 AM

Open Information Security Foundation

Suricata 1.4.5 released!

The OISF development team is pleased to announce Suricata 1.4.5. This is a small but important update over the 1.4.4 release, fixing some important bugs.

Get the new release here: suricata-1.4.5.tar.gz

Fixes

  • Bug #908: ipv6 extension header parsing issue causing Suricata to hang
  • Bug #906: icmp_seq and icmp_id keyword with icmpv6 traffic FP & FN

Special thanks

  • Prabhakaran Kasinathan

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

by Victor Julien (postmaster@inliniac.net) at July 26, 2013 11:43 AM

July 19, 2013

suricata-ids.org

Suricata 2.0beta1 Windows Installer Available

The Windows MSI installer of the Suricata 2.0beta1 release is now available.

Download it here: suricata-2.0beta1-1-32bit.msi

After downloading, double click the file to launch the installer. Please note that the installer is not yet signed.

If you have a previous version installed, please remove that first.


by inliniac at July 19, 2013 06:48 PM

Suricata 1.4.4 Windows Installer Available

The Windows MSI installer of the Suricata 1.4.4 release is now available.

Download it here: Suricata1.4.4-1-32bit.msi

After downloading, double click the file to launch the installer. Please note that the installer is not yet signed.

If you have a previous version installed, please remove that first.


by inliniac at July 19, 2013 06:44 PM

Suricata Ubuntu PPA updated to 1.4.4

We have updated the official Ubuntu PPA to Suricata 1.4.4. To use this PPA read our docs here.

If you’re using this PPA, updating is as simple as:

apt-get update && apt-get upgrade

The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.


by inliniac at July 19, 2013 05:23 PM

July 18, 2013

Open Information Security Foundation

Suricata 2.0beta1 Available!

The OISF development team is proud to announce Suricata 2.0beta1. This is the first beta release for the upcoming 2.0 version.

This release greatly improved our HTTP handling by upgrading libhtp support to 0.5.4 and by redesigning transaction handling, which increases HTTP performance as well[1]. On the performance side, a large CUDA overhaul greatly improves our GPU performance[2]. Also new in this release is a DNS parser, logger and detection support.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0beta1.tar.gz

[1] http://www.poona.me/2013/05/suricata-transaction-engine-re-designed.html#performance
[2] http://www.poona.me/2013/06/suricata-cuda-engine-re-designed.html#performance

New features

  • Luajit flow vars and flow ints support (#593)
  • DNS parser, logger and keyword support (#792), funded by Emerging Threats
  • deflate support for HTTP response bodies (#470, #775)

Improvements

  • update to libhtp 0.5 (#775)
  • improved gzip support for HTTP response bodies (#470, #775)
  • redesigned transaction handling, improving both accuracy and performance (#753)
  • redesigned CUDA support (#729)
  • Be sure to always apply verdict to NFQ packet (#769)
  • stream engine: SACK allocs should adhere to memcap (#794)
  • stream: deal with multiple different SYN/ACK’s better (#796)
  • stream: Randomize stream chunk size for raw stream inspection (#804)
  • Introduce per stream thread ssn pool (#519)
  • “pass” IP-only rules should bypass detection engine after matching (#718)
  • Generate error if bpf is used in IPS mode (#777)
  • Add support for batch verdicts in NFQ, thanks to Florian Westphal
  • Update Doxygen config, thanks to Phil Schroeder
  • Improve libnss detection, thanks to Christian Kreibich

Fixes

  • Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
  • OS X unix socket build fixed (#830)
  • bytetest, bytejump and byteextract negative offset failure (#827)
  • Fix fast.log formatting issues (#771), thanks to Rmkml
  • Invalidate negative depth (#774), thanks to Rmkml
  • Fixed accuracy issues with relative pcre matching (#791)
  • Fix deadlock in flowvar capture code (#802)
  • Improved accuracy of file_data keyword (#817)
  • Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
  • stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Rmkml
  • Laszlo Madarassy
  • Ken Steele, Tilera
  • Florian Westphal
  • Christian Kreibich
  • Francis Trudeau
  • Phil Schroeder
  • Ivan Ristic
  • Emerging Threats
  • Coverity

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

by Victor Julien (postmaster@inliniac.net) at July 18, 2013 03:23 PM

suricata-ids.org

Suricata 2.0beta1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0beta1. This is the first beta release for the upcoming 2.0 version.

This release greatly improved our HTTP handling by upgrading libhtp support to 0.5.5 and by redesigning transaction handling, which increases HTTP performance as well[1]. On the performance side, a large CUDA overhaul greatly improves our GPU performance[2]. Also new in this release is a DNS parser, logger and detection support.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0beta1.tar.gz

[1] http://www.poona.me/2013/05/suricata-transaction-engine-re-designed.html#performance
[2] http://www.poona.me/2013/06/suricata-cuda-engine-re-designed.html#performance

New features

  • Luajit flow vars and flow ints support (#593)
  • DNS parser, logger and keyword support (#792), funded by Emerging Threats
  • deflate support for HTTP response bodies (#470, #775)

Improvements

  • update to libhtp 0.5 (#775)
  • improved gzip support for HTTP response bodies (#470, #775)
  • redesigned transaction handling, improving both accuracy and performance (#753)
  • redesigned CUDA support (#729)
  • Be sure to always apply verdict to NFQ packet (#769)
  • stream engine: SACK allocs should adhere to memcap (#794)
  • stream: deal with multiple different SYN/ACK’s better (#796)
  • stream: Randomize stream chunk size for raw stream inspection (#804)
  • Introduce per stream thread ssn pool (#519)
  • “pass” IP-only rules should bypass detection engine after matching (#718)
  • Generate error if bpf is used in IPS mode (#777)
  • Add support for batch verdicts in NFQ, thanks to Florian Westphal
  • Update Doxygen config, thanks to Phil Schroeder
  • Improve libnss detection, thanks to Christian Kreibich

Fixes

  • Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
  • OS X unix socket build fixed (#830)
  • bytetest, bytejump and byteextract negative offset failure (#827)
  • Fix fast.log formatting issues (#771), thanks to Rmkml
  • Invalidate negative depth (#774), thanks to Rmkml
  • Fixed accuracy issues with relative pcre matching (#791)
  • Fix deadlock in flowvar capture code (#802)
  • Improved accuracy of file_data keyword (#817)
  • Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
  • stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Rmkml
  • Laszlo Madarassy
  • Ken Steele, Tilera
  • Florian Westphal
  • Christian Kreibich
  • Francis Trudeau
  • Phil Schroeder
  • Ivan Ristic
  • Emerging Threats
  • Coverity

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


by inliniac at July 18, 2013 03:22 PM

Open Information Security Foundation

Suricata 1.4.4 released

The OISF development team is pleased to announce Suricata 1.4.4. This is a small but important update over the 1.4.3 release, fixing some important bugs.

Get the new release here: suricata-1.4.4.tar.gz

Fixes

  • Bug #834: Unix socket – showing as compiled when it is not desired to do so
  • Bug #841: configure –enable-unix-socket does not err out if libs/pkgs are not present
  • Bug #846: FP on IP frag and sig using udp port 0, thanks to Rmkml
  • Bug #864: fix pass action not working correctly in all cases, thanks Kevin Branch
  • Bug #876: http connect tunnel crash fixed
  • Bug #877: Flowbit check with content doesn’t match consistently, thanks to Francis Trudeau

Special thanks

  • Rmkml
  • Francis Trudeau
  • Kevin Branch

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

by Victor Julien (postmaster@inliniac.net) at July 18, 2013 09:23 AM

suricata-ids.org

Suricata 1.4.4 released!

Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.4. This is a small but important update over the 1.4.3 release, fixing some important bugs.

Get the new release here: suricata-1.4.4.tar.gz

Fixes

  • Bug #834: Unix socket – showing as compiled when it is not desired to do so
  • Bug #841: configure –enable-unix-socket does not err out if libs/pkgs are not present
  • Bug #846: FP on IP frag and sig using udp port 0, thanks to Rmkml
  • Bug #864: fix pass action not working correctly in all cases, thanks Kevin Branch
  • Bug #876: http connect tunnel crash fixed
  • Bug #877: Flowbit check with content doesn’t match consistently, thanks to Francis Trudeau

Special thanks

  • Rmkml
  • Francis Trudeau
  • Kevin Branch

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


by inliniac at July 18, 2013 09:20 AM

July 17, 2013

Anoop Saldanha

Suricata cuda engine re-designed


Suricata's current dev master includes a re-designed cuda architecture.  There's some history on Suricata's relationship with cuda which I will address in a different post.  Let's talk about the current cuda support.

Suricata performs various cpu intensive talks.  One of those being the pattern matching phase.  The engine has various pattern matching phases - packet, stream, application layer buffers, etc..  The heaviest of them all would be the packet and the stream ones.  With our version we have offloaded the packet mpm phase.  We use the aho-corasick algorithm on the gpu(more on the technical aspects in the coming posts).

These are the first and last commits in sequence of commits that introduces the feature.  A git log should reveal other related commits -

            commit 0e0218f089f87c82041bb56b497bd88a41d31040
            Author: Anoop Saldanha <anoopsaldanha@gmail.com>
            Date:   Thu Jun 20 23:26:23 2013 +0530

                Minor cosmetic changes to the cuda code.

            commit 276716bdd39f325209e03f94b855f0ed14b3b12a
            Author: Anoop Saldanha <poonaatsoc@gmail.com>
            Date:   Wed Aug 1 14:22:49 2012 +0530

                update cuda API wrappers ...


Currently the only supported interface/runmode is pcap-file/autofp.  Do note that we don't support live rule swap when cuda's being used.

    * Configuring suricata to use Cuda

      To enable and use the cuda accelerated pattern matcher, configure with --enable-cuda.

      Next the new mpm that uses the gpu is called "ac-cuda".  You will have to modify the "mpm-algo" parameter in the conf to use it -
      "mpm-algo: ac-cuda"

      Other customizable options in the conf file -
      cuda:
        mpm:
          data-buffer-size-min-limit: 0
          data-buffer-size-max-limit: 1500
          cudabuffer-buffer-size: 500mb
          gpu-transfer-size: 50mb
          batching-timeout: 2000
          device-id: 0
          cuda-streams: 2

      The conf file has a brief explanation for each parameter.  Let me explain them again
      • gpu-transfer-size: Probably the most important parameter at this point, since a lot of you all won't be able to run cuda with the default value of 50mb(depending on the card you are using).  This parameter basically configures the max size of the buffer(one holding all the packets) that would be sent to the gpu for processing.  Based on the available memory on your card you will have to play with this value until you get cuda up and running on your system.
      • data-buffer-size-min-limit: The minimum payload size to be sent to the gpu.  For example, if we have it set to 10, all payloads < 10 would be run on the cpu, >= 10 on the gpu.  A value of 0 sets no limit.
      • data-buffer-size-max-limit: The maximum payload size to be sent to the gpu.  Similar to the previous one
      • batching-timeout: This parameter sets the timer for batching packets before being sent to the gpu.  Do note this parameter is in microseconds.  For example, if you have a value of 10000(10ms) set, the cpu would buffer packets for the next 10ms before sending them to the gpu.  You will have to play around with this value to find the performance sweet spot.
      • device-id: The device to use.  If you have multiple devices you can specify the device to use here.  You can use suricata --list-cuda-cards to list the configured cards on your system.
      • cuda-streams: Unused
      • cudabuffer-buffer-size: Internally we use a circular buffer to batch packets.  This parameter specifies the size of this circular buffer.  The buffer allocated using this parameter is page-locked.
      You'll have to also increase the "max-pending-packets" parameter in the conf.  I have mine set to 65000.
      max-pending-packets: 65000

      Also do note that we only support pcap-file/autofp at this moment.

      Looks like we are done.  Time to take it for a drive.

      * Performance

      * Card used - GTX 480 - 15 multiprocessors, with 448 cores and Cuda Compatibility 2.0.
      * Host PC: AMD 620 quad core at 2.8Ghz, with 6GB of ram.
      * Ruleset being tested - etpro without decoder rules.
      * max-pending-packets: 65000
      * batching-timeout: 10000

      I have managed to run it against some pcaps and the gpu has been faster or as fast as the cpu on all occasions.  The alerts are intact on all runs.  Here are the results -

      * time in seconds
      Pcap_Name - CPU     :   GPU      : % Increase in Performance
      Pcap            - 12.5     :   9.4        : 24%
      Pcap            - 18.2     :   14.2      : 22%
      Pcap            - 11        :   8.4        : 23%
      Pcap            - 7.4       :   5.7        : 23%
      Pcap            - 12.8     :   9.9        : 22%
      Pcap            - 5.2       :   3.9        : 25%
      Pcap            - 18.7     :   14.0      : 25%
      Pcap            - 28.4     :   20         : 29%
      Pcap            - 13.3     :   10.2      : 15%
      Pcap            - 25.9     :   18.2      : 30%
      Pcap            - 27.9     :   20.1      : 28%
      Pcap            - 29.5     :   21.2      : 28%
      Pcap            - 29.7     :   21.5      : 27%
      Pcap            - 17.3     :   12.9      : 25%
      Pcap            - 23.3     :   18.0      : 23%
      Pcap            -  5.8      :   5.45      :  6%
      Pcap            -  83       :   72         : 13%
      Pcap            - 10440  :   9575     : 8%
      Pcap            - 7445    :   7172     : 3.7%
      Pcap            - 340      :   271       : 20%
      Pcap            - 604      :   603       : -
      Pcap            - 1480    :   1452     : 1.8%
      Pcap            - 16.1     :   16.1      : 0%
      Pcap            - 12.9     :   12.5      : 3%
      Pcap            - 6.7       :   6.3        : 3%
      Pcap            - 6.7       :   5.9        : 12%
      Pcap            - 8.1       :   7.3        : 11%
      Pcap            - 3.7       :   3.3        : 11%
      Pcap            - 9.3       :   8.85      : 5%
      Pcap            - 27.5     :   27.5      : 0%
      Pcap            - 16.1     :   17.4      : 9%


      Please note the code is experimental, and we would love to your hear your feedback on the performance, card you are running, conf settings used and alert accuracy.


      * Future Work
      • Use other features provided by cuda, the immediate ones being streams and texture memory.
      • Provide live mode support.
      • Explore the possibility of sending other buffers to the gpu.
      • Explore other cpu intensive tasks that can be offloaded to the gpu.

      In the upcoming posts we will discuss suricata's cuda history and the code development that took place for each cuda version we implemented.  We will also discuss the technical aspects behind the current cuda code.

      by poona (noreply@blogger.com) at July 17, 2013 12:08 PM

      Suricata transaction engine re-designed - Increased performance, better accuracy.


      For quite sometime we wanted to improve the stateful detection engine inside suricata.  The previous detection engine although worked fine in a way, had its issues, some of them being these -

      • Repeated inspection of same app state, transactions included, and as a side effect of this we had the pattern matching engine carrying out redundant runs on already matched buffers.
      • FPs resulting from re-inspection of state.
      • FNs.
      • FPs from cross transaction matching.  For example the following sig would FP with the old engine for the below scenario.  Assume we have a flow with 2 requests -
              GET /one.html HTTP/1.1
              GET /two.html HTTP/1.1

              alert http any any -> any any (content:"one"; http_uri; content:"two"; http_uri; sid:1;)


      We have now re-designed the way we carry out inspection(master branch), and all the above issues mentioned have disappeared, along with noticeably improved performance.

      The corresponding commits being -

      commit b0f014124dbf44829ba04ed9d090ff268f7cb0ae
      Author: Anoop Saldanha <anoopsaldanha@gmail.com>
      Date:   Fri May 3 20:34:58 2013 +0530

          Transaction engine redesigned.....

      commit e71de3f98f713fd4fe6cbccf42c51e59b0fca848
      Author: Anoop Saldanha <anoopsaldanha@gmail.com>
      Date:   Fri May 3 10:03:48 2013 +0530

          Track transaction progress separately......

      commit 6ebd360c225ccffab0ec65099e4f0b4882945b25
      Author: Anoop Saldanha <anoopsaldanha@gmail.com>
      Date:   Fri Apr 12 13:18:17 2013 +0530

          hsbd mpm and packet mpm share same mpm ctx id.....

      Here are the stats from a private pcap containing 12826 http requests and which alerts 4033 times with the old engine.

      1. The no of times the pattern matching engine was called on buffers

      ----------------------------------------
      mpm - old engine : new engine
      ----------------------------------------
      uri - 179k : 13k
      http client body - 222 : 173
      http header toserver - 179k : 13k
      http header toclient - 174k : 117k
      http method - 143k : 10.5k
      http cookie - 10.5k : 6.5k
      http raw uri - 143k : 10.5k

      As you can see the pattern matching runs has drastically reduced.

      2. Alert accuracy has been improved, with FPs and FN's disappearing.


      -Default yaml-

      Old engine - 40.5 seconds
      New engine - 33.5 seconds
      Performance increase  - 17.28%

      I then modified the HOME_NET and EXTERNAL_NET to any, to increase the flows inspected by the engine, and to also increase the no of alerts.  These are the numbers obtained -

      -Modified yaml-

      Old engine - 70.5
      New engine - 51.5
      Performance increase - 27%

      Suricata users with http heavy traffic and a fairly http heavy ruleset, should see the increase in performance as well.


      Please do note the code update requires some rigorous testing, so keep an eye out for missed alerts, segvs and other bugs.  Any form of testing for alert, stability, and performance is appreciated.

      =Future Work=

      Effort continues to further improve the detection engine for better performance and a lot of cool new features.  Keep an eye out for our mailing list.
             

      by poona (noreply@blogger.com) at July 17, 2013 12:07 PM

      July 08, 2013

      Security Onion

      Suricata 1.4.3 package now available

      Suricata 1.4.3 was recently released:
      http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/178-suricata-143-released

      I've packaged Suricata 1.4.3 and the new package has been tested by the following (thanks!):
      David Zawdie

      Upgrading
      The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
      https://code.google.com/p/security-onion/wiki/Upgrade

      The Suricata update will do the following:

      • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
      • update Suricata to 1.4.3

      If you're running Suricata in production, then you'll need to do the following:

      • apply your local customizations to the new suricata.yaml
      • restart Suricata as follows:

      sudo nsm_sensor_ps-restart --only-snort-alert

      Upgrading Suricata
      suricata -V
      Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"

      Feedback
      If you have any questions or problems, please use our mailing list:
      https://code.google.com/p/security-onion/wiki/MailingLists

      Help Wanted
      If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
      https://code.google.com/p/security-onion/wiki/TeamMembers

      We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

      by Doug Burks (noreply@blogger.com) at July 08, 2013 08:01 AM

      June 21, 2013

      Open Information Security Foundation

      Suricata 1.4.3 released!

      The OISF development team is pleased to announce Suricata 1.4.3. This is a small but important update over the 1.4.2 release, fixing some important bugs.

      Get the new release here: suricata-1.4.3.tar.gz

      Fixes

      • Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
      • Fix IPS mode being unable to drop tunneled packets (#826)
      • Fix OS X Unix Socket build (#829)

      Special thanks

      • Laszlo Madarassy
      • Will Metcalf

      Known issues & missing features

      As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

       

      by Victor Julien (postmaster@inliniac.net) at June 21, 2013 08:33 AM

      suricata-ids.org

      Suricata 1.4.3 released!

      Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.3. This is a small but important update over the 1.4.2 release, fixing some important bugs.

      Get the new release here: suricata-1.4.3.tar.gz

      Fixes

      • Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
      • Fix IPS mode being unable to drop tunneled packets (#826)
      • Fix OS X Unix Socket build (#829)

      Special thanks

      • Laszlo Madarassy
      • Will Metcalf

      Known issues & missing features

      As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


      by inliniac at June 21, 2013 08:32 AM

      May 31, 2013

      Security Onion

      Suricata 1.4.2 package now available

      Suricata 1.4.2 was recently released:
      http://suricata-ids.org/2013/05/29/suricata-1-4-2-released/

      I've packaged Suricata 1.4.2 and it has been tested by the following (thanks!):
      David Zawdie

      Upgrade Process

      The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
      sudo apt-get update && sudo apt-get install securityonion-suricata
      The Suricata update will do the following:

      • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
      • update Suricata to 1.4.2

      If you're running Suricata in production, then you'll need to do the following:

      • apply your local customizations to the new suricata.yaml
      • restart Suricata as follows:

      sudo nsm_sensor_ps-restart --only-snort-alert
      sudo apt-get update && sudo apt-get install securityonion-suricata

      suricata -V

      Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"

      Feedback
      If you have any questions or problems, please use our mailing list:
      https://code.google.com/p/security-onion/wiki/MailingLists

      Help Wanted
      If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
      https://code.google.com/p/security-onion/wiki/TeamMembers

      We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

      by Doug Burks (noreply@blogger.com) at May 31, 2013 09:14 PM

      May 30, 2013

      Security Onion

      Suricata 1.4.1 package now available


      Suricata 1.4.1 was recently released:
      http://suricata-ids.org/2013/03/08/suricata-1-4-1-released/

      I've packaged Suricata 1.4.1 and it has been tested by the following (thanks!):
      Eric Ooi
      David Zawdie

      The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
      sudo apt-get update && sudo apt-get dist-upgrade

      Install Process

      The Suricata update will do the following:

      • install some new dependencies (libluajit and libjansson)
      • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
      • update Suricata to 1.4.1

      If you're running Suricata in production, then you'll need to do the following:

      • apply your local customizations to the new suricata.yaml
      • restart Suricata as follows:
      sudo nsm_sensor_ps-restart --only-snort-alert

      sudo apt-get update && sudo apt-get dist-upgrade

      suricata -V

      Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"


      Feedback
      If you have any questions or problems, please use our mailing list:
      https://code.google.com/p/security-onion/wiki/MailingLists

      by Doug Burks (noreply@blogger.com) at May 30, 2013 10:27 PM

      May 29, 2013

      Open Information Security Foundation

      Suricata 1.4.2 released!

      The OISF development team is proud to announce Suricata 1.4.2. This is a minor update over the 1.4 release, fixing some important bugs.

      Get the new release here: suricata-1.4.2.tar.gz

      Improvements

      • No longer force "nocase" to be used on http_host
      • Invalidate rule if uppercase content is used for http_host w/o nocase
      • Warn user if bpf is used in af-packet IPS mode
      • Better test for available libjansson version

      Fixes

      • Fixed accuracy issues with relative pcre matching (#784)
      • Improved accuracy of file_data keyword (#788)
      • Invalidate negative depth (#770)
      • Fix http host parsing for IPv6 addresses (#761)
      • Fix fast.log formatting issues (#773)
      • Fixed deadlock in flowvar set code for http buffers (#801)
      • Various signature ordering improvements
      • Minor stream engine fix

      Special thanks

      • Ivan Ristic
      • Rmkml
      • Will Metcalf

      Known issues & missing features

      As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

      by Victor Julien (postmaster@inliniac.net) at May 29, 2013 01:42 PM

      suricata-ids.org

      Suricata 1.4.2 released!

      Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4.2. This is a minor update over the 1.4 release, fixing some important bugs.

      Get the new release here: suricata-1.4.2.tar.gz

      Improvements

      • No longer force “nocase” to be used on http_host
      • Invalidate rule if uppercase content is used for http_host w/o nocase
      • Warn user if bpf is used in af-packet IPS mode
      • Better test for available libjansson version

      Fixes

      • Fixed accuracy issues with relative pcre matching (#784)
      • Improved accuracy of file_data keyword (#788)
      • Invalidate negative depth (#770)
      • Fix http host parsing for IPv6 addresses (#761)
      • Fix fast.log formatting issues (#773)
      • Fixed deadlock in flowvar set code for http buffers (#801)
      • Various signature ordering improvements
      • Minor stream engine fix

      Special thanks

      • Ivan Ristic
      • Rmkml
      • Will Metcalf

      Known issues & missing features

      As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


      by inliniac at May 29, 2013 01:23 PM

      April 23, 2013

      Victor Julien

      More on Suricata lua flowints

      This morning I added flowint lua functions for incrementing and decrementing flowints. From the commit:

      Add flowint lua functions for incrementing and decrementing flowints.

      First use creates the var and inits to 0. So a call:

          a = ScFlowintIncr(0)

      Results in a == 1.

      If the var reached UINT_MAX (2^32), it’s not further incremented. If the
      var reaches 0 it’s not decremented further.

      Calling ScFlowintDecr on a uninitialized var will init it to 0.

      Example script:

          function init (args)
        local needs = {}
        needs["http.request_headers"] = tostring(true)
        needs["flowint"] = {"cnt_incr"}
        return needs
    end

    function match(args)
        a = ScFlowintIncr(0);
        if a == 23 then
            return 1
        end

        return 0
    end
    return 0

      This script matches the 23rd time it’s invoked on a flow.

      Compared to yesterday’s flowint script and the earlier flowvar based counting script, this performs better:

         Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        1            1        0        2434188332   59.71  82249    795      711777      29595.35    7683.20     29809.22   
  2        2            1        0        1015328580   24.91  82249    795      154398      12344.57    3768.66     12428.27   
  3        3            1        0        626858067    15.38  82249    795      160731      7621.47     3439.91     7662.28

      The rules:

      alert http any any -> any any (msg:"LUAJIT HTTP flowvar match"; luajit:lua_flowvar_cnt.lua; flow:to_server; sid:1;)
alert http any any -> any any (msg:"LUAJIT HTTP flowint match"; luajit:lua_flowint_cnt.lua; flow:to_server; sid:2;)
alert http any any -> any any (msg:"LUAJIT HTTP flowint incr match"; luajit:lua_flowint_incr_cnt.lua; flow:to_server; sid:3;)

      Please comment, discuss, review etc on the oisf-devel list.


      by inliniac at April 23, 2013 10:17 AM

      April 22, 2013

      Victor Julien

      Suricata Lua scripting flowint access

      A few days ago I wrote about my Emerging Threats sponsored work to support flowvars from Lua scripts in Suricata.

      Today, I updated that support. Flowvar ‘sets’ are now real time. This was needed to fix some issues where a script was invoked multiple times in single rule, which can happen with some buffers, like HTTP headers.

      Also, I implemented flowint support. Flowints in Suricata are integers stored in the flow context.

      Example script:

      function init (args)
    local needs = {}
    needs["http.request_headers"] = tostring(true)
    needs["flowint"] = {"cnt"}
    return needs
end

function match(args)
    a = ScFlowintGet(0);
    if a then
        ScFlowintSet(0, a + 1)
    else
        ScFlowintSet(0, 1)
    end 
        
    a = ScFlowintGet(0);
    if a == 23 then
        return 1
    end 
    
    return 0
end 

return 0

      It does the same thing as this flowvar script:

      function init (args)
    local needs = {}
    needs["http.request_headers"] = tostring(true)
    needs["flowvar"] = {"cnt"}
    return needs
end

function match(args)
    a = ScFlowvarGet(0);
    if a then
        a = tostring(tonumber(a)+1)
        ScFlowvarSet(0, a, #a)
    else
        a = tostring(1)
        ScFlowvarSet(0, a, #a)
    end 
    
    if tonumber(a) == 23 then
        return 1
    end
    
    return 0
end

return 0

      Only, at about half the cost:

         Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        1            1        0        2392221879   70.56  82249    795      834993      29085.12    6964.14     29301.02   
  2        2            1        0        998297994    29.44  82249    795      483810      12137.51    4019.44     12216.74

      by inliniac at April 22, 2013 04:16 PM

      Suricata Lua scripting flowvar access

      Funded by Emerging Threats, I’ve been working on giving the lua scripts access to flowvars.

      Currently only “flowvars” are done, “flowints” will be next. Please review the code at:
      https://github.com/inliniac/suricata/tree/dev-lua-flowvar

      Pcre based flowvar capturing is done in a post-match fashion. If the rule containing the “capture” matches, the var is stored in the flow.

      For lua scripting, this wasn’t what the rule writers wanted. In this case, the flowvars are stored in the flow regardless of a rule match.

      The way a script can start using flowvars is by first registering which one it needs access to:

      function init (args)
    local needs = {}
    needs["http.request_headers.raw"] = tostring(true)
    needs["flowvar"] = {"cnt"}
    return needs
end

      More than one can be registered, e.g.:

          needs["flowvar"] = {"cnt", "somevar", "anothervar" }

      The maximum is 15 per script. The order of the vars matters. As Suricata uses id’s internally, to use the vars you have to use id’s as well. The first registered var has id 0, 2nd 1 and so on:

      function match(args)
    a = ScFlowvarGet(0);
    if a then
        print ("We have an A: " .. (a))
        a = tostring(tonumber(a)+1)
        print ("A incremented to: " .. (a))
        ScFlowvarSet(0, a, #a)
    else
        print "Init A to 1"
        a = tostring(1)
        ScFlowvarSet(0, a, #a)
    end

    print ("A is " .. (a))
    if tonumber(a) == 23 then
        print "Match!"
        return 1
    end

    return 0
end

      You can also use a var:

      function init (args)
    local needs = {}
    needs["http.request_headers.raw"] = tostring(true)
    needs["flowvar"] = {"blah", "cnt"}
    return needs
end

local var_cnt = 1

function match(args)
    a = ScFlowvarGet(var_cnt);
    if a then
        print ("We have an A: " .. (a))
        a = tostring(tonumber(a)+1)
        print ("A incremented to: " .. (a))
        ScFlowvarSet(var_cnt, a, #a)
    else
        print "Init A to 1"
        a = tostring(1)
        ScFlowvarSet(var_cnt, a, #a)
    end

    print ("A is " .. (a))
    if tonumber(a) == 23 then
        print "Match!"
        return 1
    end

    return 0
end

      Flowvars are set at the end of the rule’s inspection, so after the script has run.

      When multiple stores are done from the script and/or pcre, the last match will win. So if order matters, rule priority can be used to control inspection order.

      Thoughts, comments, and code review highly welcomed at the oisf-devel list.


      by inliniac at April 22, 2013 04:16 PM

      April 19, 2013

      Victor Julien

      Suricata: Handling of multiple different SYN/ACKs

      synackWhen processing the TCP 3 way handshake (3whs), Suricata’s TCP stream engine will closely follow the setup of a TCP connection to make sure the rest of the session can be tracked and reassembled properly. Retransmissions of SYN/ACKs are silently accepted, unless they are different somehow. If the SEQ or ACK values are different they are considered wrong and events are set. The stream events rules will match on this.

      I ran into some cases where not the initial SYN/ACK was used by the client, but instead a later one. Suricata however, had accepted the initial SYN/ACK. The result was that every packet from that point was rejected by the stream engine. A 67 packet pcap resulting in 64 stream events.

      If people have the stream events enabled _and_ pay attention to them, a noisy session like this should certainly get their attention. However, many people disable the stream events, or choose to ignore them, so a better solution is necessary.

      Analysis

      In this case the curious thing is that the extra SYN/ACK(s) have different properties: the sequence number is different. As the SYN/ACKs sequence number is used as “initial sequence number” (ISN) in the “to client” direction, it’s crucial to track it correctly. Failing to do so, Suricata will loose track of the stream, causing reassembly to fail. This could lead to missed alerts.

      Whats happening on the wire:

      TCP SSN 1:

      -> SYN: SEQ 10
<- SYN/ACK 1: ACK 11, SEQ 100
<- SYN/ACK 2: ACK 11, SEQ 1000
-> ACK: SEQ 11, ACK 101

      TCP SSN 2:

      -> SYN: SEQ 10
<- SYN/ACK 1: ACK 11, SEQ 100
<- SYN/ACK 2: ACK 11, SEQ 1000
-> ACK: SEQ 11, ACK 1001

      It’s clear that in SSN 1 the client ACKs the first SYN/ACK while in SSN 2 the 2nd SYN/ACK is ACK’d. It’s likely that the first SYN/ACK was lost before it reached the client. Suricata accepts the first though, and rejects any others that are not the same.

      Solution

      The solution I’ve been working on is to delay judgement on the extra SYN/ACKs until Suricata sees the ACK that completes the 3whs. At that point Suricata knows what the client accepted, and which SYN/ACKs were either ignored, or never received.

      Logic in pseudo code:

      Normal SYN/ACK coming in:

          UpdateState(p);
    ssn->state = TCP_SYN_RECV;

      Extra SYN/ACK packets:

          if (p != ssn) {
        QueueState(p);

      On receiving the ACK that completes the 3whs:

          if (ssn->queue_len) {
        q = QueueFindState(p);
        if (q)
            UpdateState(q);
    }
    UpdateState(p);
    ssn->state = TCP_ESTABLISHED;

      So when receiving the ACK, Suricata first searches for the proper SYN/ACK on the list. If it’s not found, the ACK will be processed normally, which means it’s checked against the original SYN/ACK. If Suricata did have a queued state, it will first apply it to the SSN. Then the ACK will be processed normally, so that is can complete the 3whs and move the state to ESTABLISHED.

      Limitations

      Queuing these states takes some memory, and for this reason there is a limit to the number each SSN will accept. This is configurable through a new stream option:

      stream:
  max-synack-queued: 5

      It defaults to 5. I’ve seen a few (valid) hits against a few terrabytes of traffic, so I think the default is reasonably safe. An event is being set if the limit is exceeded. It can be matched using a stream-event rule:

        alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake \
      excessive different SYN/ACKs"; stream-event:3whs_synack_flood; \
      sid:2210055; rev:1;)

      Performance

      This functionality doesn’t affect the regular “fast path” except for a small check to see if we have queued states. However, if the queue list is being used Suricata enters a slow path. Currently this involves an memory allocation per stored queue. It may be interesting to consider using pools here, although a single global pool might be ineffecient. In such a case a lock would have to be used and this might lead to contention, especially in a case where Suricata would be flooded. Per thread pools (519, 520, 521) may be best here.

      IPS mode

      SYN/ACKs that exceed the limit are dropped if stream.inline is enabled as is the case with all packets that are considered to be bad in some way.

      Code

      The code is now part of the git master through commit 4c6463f3784f533a07679589dab713096137a439. Feedback welcome through our oisf-devel list.


      by inliniac at April 19, 2013 07:53 AM

      March 26, 2013

      Eric Leblond

      WiFi interface and suricata AF_PACKET IPS mode

      Not usual setup can lead to surprise

      The 5th of December 2012, I’ve setup suricata in AF_PACKET IPS mode between a WiFi interface and an Ethernet interface. The result was surprising as it was leading to a crash after some time:

      The issue was linked with the defrag option of AF_PACKEt fanout. I’ve proposed a patch the 7th Dec 2012 and after a discussion with David Miller and Johannes Berg, Johannes has proposed a better patch which was included in official tree. So the problem is fixed for kernel superior or equal to 3.7.

      Affected kernel

      Here’s the list of affected kernel:

      • All kernel prior to 3.2.36
      • All 3.3.x kernel
      • All 3.4.x kernel prior to 3.4.25
      • All 3.5.x kernel prior to 3.5.7.3
      • All 3.6.x kernel prior to 3.6.11

      Workaround in Suricata

      If you can’t update to a not affected kernel, you can set defrag to no in af-packet configuration to avoid the issue:

      af-packet:
  - interface: wlan0
    # In some fragmentation case, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: no

      by Regit at March 26, 2013 03:24 PM

      March 15, 2013

      suricata-ids.org

      Suricata 1.4.1 Windows Installer Available

      The Windows MSI installer of the Suricata 1.4.1 release is now available.

      Download it here: Suricata1.4.1-1-32bit.msi

      After downloading, double click the file to launch the installer. Please note that the installer is not yet signed.

      If you have a previous version installed, please remove that first.


      by fleurixx at March 15, 2013 03:24 PM

      Suricata Ubuntu PPA updated to 1.4.1

      We have updated the official Ubuntu PPA to Suricata 1.4.1. To use this PPA read our docs here.

      If you’re using this PPA, updating is as simple as:

      apt-get update && apt-get upgrade

      The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.


      by fleurixx at March 15, 2013 02:12 PM

      March 11, 2013

      Eric Leblond

      Victor Julien, Suricata and Netfilter

      Suricata and Netfilter can be better friend as they are doing some common work like decoding packet and maintaining flow table.

      In IPS mode, Suricata is receiving raw packet from libnetfilter_queue. It has to made the parsing of this packet but this kind of thing has also been done by kernel. So it should be possible to avoid to duplicate the work.

      In fact Netfilter work is limited as ipheaders srtucture are used. Patrik McHardy proposed that Netfilter offset but this is not the most costly part.

      The flow discussion was more interesting because conntrack is really doing a similar work as the one done by Suricata. Using the CT extension of libnetfilter_queue, Suricata will be able to get access to all the CT information. And at a first glance, it seems it contains almost all information needed. So it should be possible to remove the flow engine from suricata. The garbage operation would not be necessary as Suricata will get information via NFCT destroy event.

      Jozsef Kadlecsik proposed to use Tproxy to redirect flow and provide a “socket” stream instead of individual packet to Suricata. This would change Suricata a lot but could provide a interesting alternative mode.

      by Regit at March 11, 2013 03:04 PM

      March 08, 2013

      Victor Julien

      Suricata 1.4.1 released!

      Reblogged from Suricata:

      Click to visit the original post

      The OISF development team is proud to announce Suricata 1.4.1. This is a major update over the 1.4 release, adding some exiting features, many improvements and fixing some important bugs.

      Get the new release here: suricata-1.4.1.tar.gz

      The most interesting new feature is the GeoIP support. Great contribution by Ignacio Sanchez. It adds "geoip" rule keyword that allows you to match on source of destination of a packet per country.

      Read more… 344 more words

      Major 1.4 update.

      by inliniac at March 08, 2013 02:30 PM

      Open Information Security Foundation

      Suricata 1.4.1 released!

      The OISF development team is proud to announce Suricata 1.4.1. This is a major update over the 1.4 release, adding some exiting features, many improvements and fixing some important bugs.

      Get the new release here: suricata-1.4.1.tar.gz

      The most interesting new feature is the GeoIP support. Great contribution by Ignacio Sanchez. It adds “geoip” rule keyword that allows you to match on source of destination of a packet per country.

      New features

      • GeoIP keyword, allowing matching on Maxmind’s database, contributed by Ignacio Sanchez (#559)
      • Introduce http_host and http_raw_host keywords (#733, #743)
      • Add python module for interacting with unix socket (#767)
      • Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)

      Improvements

      • Big Napatech support update by Matt Keeler
      • Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
      • FreeBSD IPFW fixes by Nikolay Denev
      • Add “default” interface setting to capture configuration in yaml (#679)
      • Make sure “snaplen” can be set by the user (#680)
      • Improve HTTP URI query string normalization (#739)
      • Improved error reporting in MD5 loading (#693)
      • Improve reference.config parser error reporting (#737)
      • Improve build info output to include all configure options (#738)

      Fixes

      • Segfault in TLS parsing reported by Charles Smutz (#725)
      • Fix crash in teredo decoding, reported by Rmkml (#736)
      • fixed UDPv4 packets without checksum being detected as invalid (#760)
      • fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
      • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
      • FN: IP-only rule ip_proto not matching for some protocols (#689)
      • Fix build failure with other libhtp installs (#688)
      • Fix malformed yaml loading leading to a crash (#694)
      • Various Mac OS X fixes (#700, #701, #703)
      • Fix for autotools on Mac OS X by Jason Ish (#704)
      • Fix AF_PACKET under high load not updating stats (#706)

      Special thanks

      • Ignacio Sanchez
      • Matt Keeler — nPulse
      • Jake Gionet
      • Nikolay Denev
      • Jason Ish — Endace
      • Jamie Strandboge
      • Charles Smutz
      • Rmkml

      Known issues & missing features

      As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

      by Victor Julien (postmaster@inliniac.net) at March 08, 2013 01:03 PM

      suricata-ids.org

      Suricata 1.4.1 released!

      Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4.1. This is a major update over the 1.4 release, adding some exiting features, many improvements and fixing some important bugs.

      Get the new release here: suricata-1.4.1.tar.gz

      The most interesting new feature is the GeoIP support. Great contribution by Ignacio Sanchez. It adds “geoip” rule keyword that allows you to match on source of destination of a packet per country.

      New features

      • GeoIP keyword, allowing matching on Maxmind’s database, contributed by Ignacio Sanchez (#559)
      • Introduce http_host and http_raw_host keywords (#733, #743)
      • Add python module for interacting with unix socket (#767)
      • Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)

      Improvements

      • Big Napatech support update by Matt Keeler
      • Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
      • FreeBSD IPFW fixes by Nikolay Denev
      • Add “default” interface setting to capture configuration in yaml (#679)
      • Make sure “snaplen” can be set by the user (#680)
      • Improve HTTP URI query string normalization (#739)
      • Improved error reporting in MD5 loading (#693)
      • Improve reference.config parser error reporting (#737)
      • Improve build info output to include all configure options (#738)

      Fixes

      • Segfault in TLS parsing reported by Charles Smutz (#725)
      • Fix crash in teredo decoding, reported by Rmkml (#736)
      • fixed UDPv4 packets without checksum being detected as invalid (#760)
      • fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
      • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
      • FN: IP-only rule ip_proto not matching for some protocols (#689)
      • Fix build failure with other libhtp installs (#688)
      • Fix malformed yaml loading leading to a crash (#694)
      • Various Mac OS X fixes (#700, #701, #703)
      • Fix for autotools on Mac OS X by Jason Ish (#704)
      • Fix AF_PACKET under high load not updating stats (#706)

      Special thanks

      • Ignacio Sanchez
      • Matt Keeler — nPulse
      • Jake Gionet
      • Nikolay Denev
      • Jason Ish — Endace
      • Jamie Strandboge
      • Charles Smutz
      • Rmkml

      Known issues & missing features

      As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


      by inliniac at March 08, 2013 01:00 PM

      March 07, 2013

      Open Information Security Foundation

      Suricata 1.3.6 Available!

      The OISF development team is pleased to announce Suricata 1.3.6. This the last maintenance release of Suricata 1.3 with some important fixes.

      Because of the fixes below, upgrading is highly recommended.

      Download: http://www.openinfosecfoundation.org/download/suricata-1.3.6.tar.gz

      Fixes

      • fix decoder event rules not checked in all cases (#671)
      • checksum detection for icmpv6 was fixed (#673)
      • crash in HTTP server body inspection code fixed (#675)
      • fixed a icmpv6 payload bug (#676)
      • IP-only rule ip_proto not matching for some protocols was addressed (#690)
      • fixed malformed yaml crashing suricata (#702)
      • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
      • crash in tls parser was fixed (#759)
      • fixed UDPv4 packets without checksum being detected as invalid (#762)
      • fixed DCE/SMB parsers getting confused in some fragmented cases (#763)

      Special thanks

      • Jamie Strandboge

      Known issues & missing features

      If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

      by Victor Julien (postmaster@inliniac.net) at March 07, 2013 11:55 AM

      suricata-ids.org

      Suricata 1.3.6 available!

      The OISF development team is pleased to announce Suricata 1.3.6. This the last maintenance release of Suricata 1.3 with some important fixes.

      Because of the fixes below, upgrading is highly recommended.

      Download: http://www.openinfosecfoundation.org/download/suricata-1.3.6.tar.gz

      Fixes

      • fix decoder event rules not checked in all cases (#671)
      • checksum detection for icmpv6 was fixed (#673)
      • crash in HTTP server body inspection code fixed (#675)
      • fixed a icmpv6 payload bug (#676)
      • IP-only rule ip_proto not matching for some protocols was addressed (#690)
      • fixed malformed yaml crashing suricata (#702)
      • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
      • crash in tls parser was fixed (#759)
      • fixed UDPv4 packets without checksum being detected as invalid (#762)
      • fixed DCE/SMB parsers getting confused in some fragmented cases (#763)

      Special thanks

      • Jamie Strandboge

      Known issues & missing features

      If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

      See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

      About Suricata

      Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.


      by inliniac at March 07, 2013 11:54 AM

      nPulse Moves to Platinum Status in 2013

      We are very pleased to announce that nPulse has moved to Platinum Consortium Member status of the Open Information Security Foundation (OISF).

      nPulse Technologies, Inc. takes the pulse of the world’s fastest networks. For customers with extremely big pipes of 10Gbps or more, who run intelligence-driven security and network operations, nPulse solutions are open, standards-based collection platforms that integrate ultrafast flow and packet capture probes with big data analytics. Unlike traditional packet capture solutions which are proprietary, expensive, and unable to scale to today’s network core speeds, nPulse platforms capture 100% of network traffic at 20 Gbps and utilize a Big Data analytics approach to significantly reduce the time, effort, and resources required to produce actionable intelligence. For more information, visit www.npulsetech.com.


      by inliniac at March 07, 2013 11:45 AM

      February 27, 2013

      Security Onion

      New NSM scripts package now available!

      I've updated our NSM scripts to resolve the following issues:

      Issue 292: Need cronjob to reload syslog-ng at midnight
      Issue 295: Increase sleep value in /etc/init/securityonion.conf
      Issue 296: Run snort as non-root user
      Issue 297: Run snort/suricata with unique PF_RING cluster-id per interface

      Thanks to the following for testing this update!
      Matt Gregory
      GabrielS
      Heine Lysemose
      Installation
      The new NSM scripts package is now available in our stable repo. You can initiate the update process using the graphical Update Manager or with the following one-liner:
      sudo apt-get update && sudo apt-get dist-upgrade
      Reminder about MySQL Updates
      As a reminder, if you are prompted to install MySQL updates, please see the following for the recommended procedure for updating MySQL:
      http://code.google.com/p/security-onion/wiki/MySQLUpdates

      Feedback
      If you have any questions or problems, please join our mailing list and ask away!
      https://code.google.com/p/security-onion/wiki/MailingLists


      by Doug Burks (noreply@blogger.com) at February 27, 2013 08:21 AM

      February 25, 2013

      Open Information Security Foundation

      nPulse Moves to Platinum Status in 2013

      We are very pleased to announce that nPulse has moved to Platinum Consortium Member status of the Open Information Security Foundation (OISF).

      nPulse Technologies, Inc. takes the pulse of the world’s fastest networks. For customers with extremely big pipes of 10Gbps or more, who run intelligence-driven security and network operations, nPulse solutions are open, standards-based collection platforms that integrate ultrafast flow and packet capture probes with big data analytics. Unlike traditional packet capture solutions which are proprietary, expensive, and unable to scale to today's network core speeds, nPulse platforms capture 100% of network traffic at 20 Gbps and utilize a Big Data analytics approach to significantly reduce the time, effort, and resources required to produce actionable intelligence.  For more information, visit www.npulsetech.com.

       


      by Beth Slater (bslater@emergingthreatspro.com) at February 25, 2013 04:50 AM

      December 21, 2012

      suricata-ids.org

      OISF Welcomes Tilera as a Gold Level Consortium Member

      We are very pleased to welcome Tilera Corporation as a Gold level Consortium member of the Open Information Security Foundation (OISF)! Through this membership, Tilera will continue to focus on achieving unparalleled Suricata performance on the TILE-Gx processor family. The TILE-Gx processor family delivers industry leading performance and power efficiency (performance/watt), while providing ease-of-use with standard Linux programming.

      As the leader in 64-bit manycore general purpose processors, the company is already hard at work contributing to the Consortium and has delivered the highest performance, highest density Suricata solution in the market – seeing about 40 Gbps throughput in a 1U platform. The Suricata implementation on TILE-Gx processors supports all the features of Suricata including both the IDS and IPS modes of operation.

      “Tilera’s involvement with the OISF and Suricata is significant validation of Suricata as an Engine, and threading as the way forward for the industry as a whole,” said Matt Jonkman, president, OISF. “The performance benefits that Tilera has already demonstrated with Suricata and the TILE-GX processor family is thoroughly impressive and is just a taste of what is to come.”

      The industry-leading performance was achieved on Tilera’s TILExtreme-Gx high density platform that packs 144 cores with four TILE-Gx36 processors in a compact 1U rack mountable device. The standard TILExtreme-Gx platform provides up to 160Gbps of Ethernet I/O and is ideal for a variety of compute and I/O intensive tasks such as Network Security (IDS/IPS, DPI, DLP), Network Monitoring, Data Forensics and Big Data processing. It is actively being deployed by several Tilera customers. Additionally, based on the performance and I/O requirements, Tilera customers have the ability to scale up or down by choosing from range of platforms ranging from half-length PCIe cards to the high density 1U chassis.

      Tilera will unveil a new platform that doubles the capacity in the first quarter of 2013. Support for the TILE-Gx will also be added for the open source version of Suricata.

      There will be much more exciting news to come from Tilera and the OISF in 2013. If you want to learn more about Tilera and its solutions, contact  Satish Ganesan, Director of Marketing, Networking Solutions, for Tilera. In the meantime, stay tuned to this space for the latest updates!

      The Open Information Security Foundation (OISF) is a non-profit foundation organized to build a next generation IDS/IPS engine Suricata.  The OISF has formed a multi-national group of the leading software developers in the security industry.  In addition to developers and a consortium consisting of leading cyber security companies, OISF has engaged the open source security community to identify current and future IDS/IPS needs and desires.


      by inliniac at December 21, 2012 09:59 AM

      December 19, 2012

      Open Information Security Foundation

      OISF Welcomes Tilera as a Gold Level Consortium Member

      We are very pleased to welcome Tilera Corporation as a Gold level Consortium member of the Open Information Security Foundation (OISF)! Through this membership, Tilera will continue to focus on achieving unparalleled Suricata performance on the TILE-Gx processor family. The TILE-Gx processor family delivers industry leading performance and power efficiency (performance/watt), while providing ease-of-use with standard Linux programming.  

       
      As the leader in 64-bit manycore general purpose processors, the company is already hard at work contributing to the Consortium and has delivered the highest performance, highest density Suricata solution in the market – seeing about 40 Gbps throughput in a 1U platform. The Suricata implementation on TILE-Gx processors supports all the features of Suricata including both the IDS and IPS modes of operation.
       
      "Tilera’s involvement with the OISF and Suricata is significant validation of Suricata as an Engine, and threading as the way forward for the industry as a whole," said Matt Jonkman, president, OISF. “The performance benefits that Tilera has already demonstrated with Suricata and the TILE-GX processor family is thoroughly impressive and is just a taste of what is to come.”
       
      The industry-leading performance was achieved on Tilera’s TILExtreme-Gx high density platform that packs 144 cores with four TILE-Gx36 processors in a compact 1U rack mountable device. The standard TILExtreme-Gx platform provides up to 160Gbps of Ethernet I/O and is ideal for a variety of compute and I/O intensive tasks such as Network Security (IDS/IPS, DPI, DLP), Network Monitoring, Data Forensics and Big Data processing. It is actively being deployed by several Tilera customers. Additionally, based on the performance and I/O requirements, Tilera customers have the ability to scale up or down by choosing from range of platforms ranging from half-length PCIe cards to the high density 1U chassis. 
       
      Tilera will unveil a new platform that doubles the capacity in the first quarter of 2013. Support for the TILE-Gx will also be added for the open source version of Suricata.
       
      There will be much more exciting news to come from Tilera and the OISF in 2013. If you want to learn more about Tilera and its solutions, contact Satish Ganesan, Director of Marketing, Networking Solutions, for Tilera. In the meantime, stay tuned to this space for the latest updates!

      The Open Information Security Foundation (OISF) is a non-profit foundation organized to build a next generation IDS/IPS engine Suricata.  The OISF has formed a multi-national group of the leading software developers in the security industry.  In addition to developers and a consortium consisting of leading cyber security companies, OISF has engaged the open source security community to identify current and future IDS/IPS needs and desires. 
       

      by Beth Slater (bslater@emergingthreatspro.com) at December 19, 2012 03:22 PM

      December 18, 2012

      suricata-ids.org

      Suricata 1.4 Windows Installer Available

      The Windows MSI installer of the Suricata 1.4 release is now available.

      Download it here: Suricata1.4-1-32bit.msi

      After downloading, double click the file to launch the installer. Please note that the installer is not yet signed.

      If you have a previous version installed, please remove that first.


      by inliniac at December 18, 2012 11:12 AM

      December 14, 2012

      suricata-ids.org

      Ubuntu Raring 13.04 gets Suricata 1.4

      The next Ubuntu release currently in development, 13.04, just received an update to Suricata 1.4.

      If you are running Ubuntu 13.04, updating is as simple as:
      apt-get update && apt-get upgrade

      Installing is as simple as:
      apt-get update && apt-get install suricata

      The Ubuntu package has IPS mode through NFQUEUE enabled.

      The OISF also provides a PPA for this and other Ubuntu versions: instructions can be found here.


      by fleurixx at December 14, 2012 03:27 PM

      Suricata Ubuntu PPA updated to 1.4

      We have updated the official Ubuntu PPA to Suricata 1.4. To use this PPA read our docs here.

      If you’re using this PPA, updating is as simple as:

      apt-get update && apt-get upgrade

      The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.


      by fleurixx at December 14, 2012 03:13 PM

      Debian Sid gets Suricata 1.4

      Debian maintainer Pierre Chifflier updated the Suricata package in Debian Sid to 1.4.

      If you are running Debian Sid, updating is as simple as:
      apt-get update && apt-get upgrade

      Installing is as simple as:
      apt-get update && apt-get install suricata

      The Debian package has IPS mode through NFQUEUE enabled.


      by fleurixx at December 14, 2012 02:55 PM

      Subscriptions

      Last updated:
      December 13, 2013 02:37 AM
      All times are UTC.

      Powered by:
      Planet