Saturday, December 21, 2013

Suri 2.0beta2 very informative - when you need it

 With the release of Suricata 2.0beta2 one can notice right away a few of the many changes.

 root@LTS-64-1:~# suricata -c /etc/suricata/suricata.yaml -i eth0 -v
19/12/2013 -- 08:57:48 - <Notice> - This is Suricata version 2.0beta2 RELEASE
19/12/2013 -- 08:57:48 - <Info> - CPUs/cores online: 2
19/12/2013 -- 08:57:48 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
19/12/2013 -- 08:57:48 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
19/12/2013 -- 08:57:48 - <Info> - 'apache' server has 'request-body-minimal-inspect-size' set to 34116 and 'request-body-inspect-window' set to 3973 after randomization.
19/12/2013 -- 08:57:48 - <Info> - 'apache' server has 'response-body-minimal-inspect-size' set to 32229 and 'response-body-inspect-window' set to 4205 after randomization.
19/12/2013 -- 08:57:48 - <Info> - 'iis7' server has 'request-body-minimal-inspect-size' set to 32040 and 'request-body-inspect-window' set to 4118 after randomization.
19/12/2013 -- 08:57:48 - <Info> - 'iis7' server has 'response-body-minimal-inspect-size' set to 32694 and 'response-body-inspect-window' set to 4148 after randomization.
19/12/2013 -- 08:57:48 - <Info> - DNS request flood protection level: 500
19/12/2013 -- 08:57:48 - <Info> - Found an MTU of 1500 for 'eth0'
19/12/2013 -- 08:57:48 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
19/12/2013 -- 08:57:48 - <Info> - preallocated 65535 defrag trackers of size 152
19/12/2013 -- 08:57:48 - <Info> - defrag memory usage: 13631336 bytes, maximum: 33554432
19/12/2013 -- 08:57:48 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
19/12/2013 -- 08:57:48 - <Info> - preallocated 1024 packets. Total memory 3567616
19/12/2013 -- 08:57:48 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
19/12/2013 -- 08:57:48 - <Info> - preallocated 1000 hosts of size 112
19/12/2013 -- 08:57:48 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
19/12/2013 -- 08:57:48 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
19/12/2013 -- 08:57:48 - <Info> - preallocated 10000 flows of size 280
19/12/2013 -- 08:57:48 - <Info> - flow memory usage: 7074304 bytes, maximum: 134217728
19/12/2013 -- 08:57:48 - <Info> - IP reputation disabled
19/12/2013 -- 08:57:48 - <Info> - using magic-file /usr/share/file/magic
19/12/2013 -- 08:57:48 - <Info> - Delayed detect disabled
19/12/2013 -- 08:57:53 - <Info> - 48 rule files processed. 14045 rules successfully loaded, 0 rules failed
19/12/2013 -- 08:57:53 - <Info> - 14053 signatures processed. 1136 are IP-only rules, 4310 are inspecting packet payload, 10513 inspect application layer, 72 are decoder event only
19/12/2013 -- 08:57:53 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete
19/12/2013 -- 08:57:54 - <Info> - building signature grouping structure, stage 2: building source address list... complete
19/12/2013 -- 08:58:00 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
19/12/2013 -- 08:58:03 - <Info> - Threshold config parsed: 0 rule(s) found
19/12/2013 -- 08:58:03 - <Info> - Core dump size set to unlimited.
19/12/2013 -- 08:58:03 - <Info> - fast output device (regular) initialized: fast.log
19/12/2013 -- 08:58:03 - <Info> - http-log output device (regular) initialized: http.log
19/12/2013 -- 08:58:03 - <Info> - dns-log output device (regular) initialized: dns.log
19/12/2013 -- 08:58:03 - <Info> - file-log output device (regular) initialized: files-json.log
19/12/2013 -- 08:58:03 - <Info> - forcing magic lookup for logged files
19/12/2013 -- 08:58:03 - <Info> - forcing md5 calculation for logged files
19/12/2013 -- 08:58:03 - <Info> - Using 1 live device(s).
19/12/2013 -- 08:58:03 - <Info> - using interface eth0
19/12/2013 -- 08:58:03 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
19/12/2013 -- 08:58:03 - <Info> - Found an MTU of 1500 for 'eth0'
19/12/2013 -- 08:58:03 - <Info> - Set snaplen to 1516 for 'eth0'
19/12/2013 -- 08:58:03 - <Info> - Generic Receive Offload is set on eth0
19/12/2013 -- 08:58:03 - <Info> - Large Receive Offload is unset on eth0
19/12/2013 -- 08:58:03 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.
19/12/2013 -- 08:58:03 - <Info> - RunModeIdsPcapAutoFp initialised
19/12/2013 -- 08:58:03 - <Info> - stream "prealloc-sessions": 2048 (per thread)
19/12/2013 -- 08:58:03 - <Info> - stream "memcap": 536870912
19/12/2013 -- 08:58:03 - <Info> - stream "midstream" session pickups: disabled
19/12/2013 -- 08:58:03 - <Info> - stream "async-oneside": disabled
19/12/2013 -- 08:58:03 - <Info> - stream "checksum-validation": disabled
19/12/2013 -- 08:58:03 - <Info> - stream."inline": disabled
19/12/2013 -- 08:58:03 - <Info> - stream "max-synack-queued": 5
19/12/2013 -- 08:58:03 - <Info> - stream.reassembly "memcap": 1073741824
19/12/2013 -- 08:58:03 - <Info> - stream.reassembly "depth": 8388608
19/12/2013 -- 08:58:03 - <Info> - stream.reassembly "toserver-chunk-size": 2447
19/12/2013 -- 08:58:03 - <Info> - stream.reassembly "toclient-chunk-size": 2489
19/12/2013 -- 08:58:03 - <Info> - stream.reassembly.raw: enabled
19/12/2013 -- 08:58:03 - <Notice> - all 4 packet processing threads, 3 management threads initialized, engine started.
19/12/2013 -- 08:58:32 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used




Note 1)
19/12/2013 -- 08:58:03 - <Info> - Generic Receive Offload is set on eth0
19/12/2013 -- 08:58:03 - <Info> - Large Receive Offload is unset on eth0
19/12/2013 -- 08:58:03 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.

Note 2 ...after some packets)
19/12/2013 -- 08:58:32 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used

So  for Note 1)  if we check our interface using ethtool, (if you do not have it  -
apt-get install ethtool on Ubuntu/Debian like systems ):

root@LTS-64-1:~# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off
root@LTS-64-1:~#

We see that :
generic-receive-offload: on
large-receive-offload: off

exactly as Suricata reports.
(
do not forget to run it with the -v option ! :
suricata -c /etc/suricata/suricata.yaml -i eth0 -v
)
Do not forget  - all offloading and checksumming features should be OFF(disabled) on the network interface, so that Suricata processes correctly all the traffic !
 

No comments:

Post a Comment