Hi again Alfredo, I keep having problems of apparent traffic loss even with ZC driver.
I've installed a Suricata just to generate HTTP and DNS logs (alert detection disabled) and right after starting it I get about 2k to 4k http log entries per minute. Now (24h later) i only get 10 to 30 log entries per minute, with punctual spikes of up to 1,5k entries in a minute. I know there are no kernel filters as I'm using ZC. Is there an equivalent in ZC to the normal kernel filters? That would explain this behaviour, as it's quite similar to what we had back when we discovered the no-kernel-filters daqvar. Thank you very much. Regards, Jose Vila. On Mon, Jun 29, 2015 at 10:16 AM, Jose Vila <[email protected]> wrote: > Hello Alfredo, > Thank you very much for the explanation. > Regards, > Jose. > > On Fri, Jun 26, 2015 at 3:29 PM, Alfredo Cardigliano <[email protected] > > wrote: > >> Hi Jose >> since kernel is bypassed with ZC, it is not possible to set kernel >> filters at all, thus no-kernel-filters is not needed. >> >> Best Regards >> Alfredo >> >> > On 26 Jun 2015, at 04:17, Jose Vila <[email protected]> wrote: >> > >> > Excuse me for reviving this thread. >> > >> > I've been using Snort's DAQ module variable no-kernel-filters for a long >> > time, but recently switched to pfring_zc and got this error: >> > >> > FATAL ERROR: Can't initialize DAQ pfring_zc (-1) - >> > pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012 >> > >> > Why isn't this variable present on the ZC driver ? Am I missing >> something ? >> > >> > Thanks, >> > >> > Jose Vila. >> > >> > On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano < >> [email protected]> >> > wrote: >> > >> >> Peter >> >> the rules listed are kernel hash filters added by the DAQ module (you >> can >> >> disable them with --daq-var no-kernel-filters) >> >> every time snort emits a verdict, in order to reduce the amount of >> traffic >> >> it has to analyze. >> >> Those rules are automatically removed when idle for more than 5 minutes >> >> (you can change the default with --daq-var >> >> kernel-filters-idle-timeout=<seconds>) >> >> >> >> Regards >> >> Alfredo >> >> >> >> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote: >> >> >> >>> -----BEGIN PGP SIGNED MESSAGE----- >> >>> Hash: SHA1 >> >>> >> >>> >> >>> Hello again all >> >>> >> >>> On 11/07/2012 10:46, Alfredo Cardigliano wrote: >> >>>> the BPF filter is not counted as "Sw Filt. Rules" (this only >> >>>> includes wildcard and hash rules) >> >>> >> >>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt. >> >>>> Rules : 0 >> >>> >> >>> Okay, so what are the 17176 rules listed? >> >>> Is this the action of the clustering hashing the packets to the >> >>> different instances? >> >>> >> >>> - -- >> >>> Peter Bates >> >>> Senior Computer Security Officer Phone: +44(0)2076792049 >> >>> Information Services Division Internal Ext: 32049 >> >>> University College London >> >>> London WC1E 6BT >> >>> -----BEGIN PGP SIGNATURE----- >> >>> Version: GnuPG v2.0.17 (MingW32) >> >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >>> >> >>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s >> >>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn >> >>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU >> >>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX >> >>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf >> >>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI= >> >>> =RwA7 >> >>> -----END PGP SIGNATURE----- >> >>> >> >>> _______________________________________________ >> >>> Ntop-misc mailing list >> >>> [email protected] >> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> >> >> _______________________________________________ >> >> Ntop-misc mailing list >> >> [email protected] >> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> >> > _______________________________________________ >> > Ntop-misc mailing list >> > [email protected] >> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> > >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
