Hi Jose there is no filtering support at the moment in ZC (kernel is bypassed), with some card we have hw filtering support in ZC, but I do not think it is supported byh Suricata.
Regards Alfredo > On 14 Aug 2015, at 12:39, Jose Vila <[email protected]> wrote: > > Hi again Alfredo, > > I keep having problems of apparent traffic loss even with ZC driver. > > I've installed a Suricata just to generate HTTP and DNS logs (alert > detection disabled) and right after starting it I get about 2k to 4k http > log entries per minute. Now (24h later) i only get 10 to 30 log entries per > minute, with punctual spikes of up to 1,5k entries in a minute. > > I know there are no kernel filters as I'm using ZC. Is there an equivalent > in ZC to the normal kernel filters? That would explain this behaviour, as > it's quite similar to what we had back when we discovered the > no-kernel-filters daqvar. > > Thank you very much. > > Regards, > > Jose Vila. > > > > On Mon, Jun 29, 2015 at 10:16 AM, Jose Vila <[email protected]> wrote: > >> Hello Alfredo, >> Thank you very much for the explanation. >> Regards, >> Jose. >> >> On Fri, Jun 26, 2015 at 3:29 PM, Alfredo Cardigliano <[email protected] >>> wrote: >> >>> Hi Jose >>> since kernel is bypassed with ZC, it is not possible to set kernel >>> filters at all, thus no-kernel-filters is not needed. >>> >>> Best Regards >>> Alfredo >>> >>>> On 26 Jun 2015, at 04:17, Jose Vila <[email protected]> wrote: >>>> >>>> Excuse me for reviving this thread. >>>> >>>> I've been using Snort's DAQ module variable no-kernel-filters for a long >>>> time, but recently switched to pfring_zc and got this error: >>>> >>>> FATAL ERROR: Can't initialize DAQ pfring_zc (-1) - >>>> pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012 >>>> >>>> Why isn't this variable present on the ZC driver ? Am I missing >>> something ? >>>> >>>> Thanks, >>>> >>>> Jose Vila. >>>> >>>> On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano < >>> [email protected]> >>>> wrote: >>>> >>>>> Peter >>>>> the rules listed are kernel hash filters added by the DAQ module (you >>> can >>>>> disable them with --daq-var no-kernel-filters) >>>>> every time snort emits a verdict, in order to reduce the amount of >>> traffic >>>>> it has to analyze. >>>>> Those rules are automatically removed when idle for more than 5 minutes >>>>> (you can change the default with --daq-var >>>>> kernel-filters-idle-timeout=<seconds>) >>>>> >>>>> Regards >>>>> Alfredo >>>>> >>>>> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote: >>>>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> >>>>>> Hello again all >>>>>> >>>>>> On 11/07/2012 10:46, Alfredo Cardigliano wrote: >>>>>>> the BPF filter is not counted as "Sw Filt. Rules" (this only >>>>>>> includes wildcard and hash rules) >>>>>> >>>>>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt. >>>>>>> Rules : 0 >>>>>> >>>>>> Okay, so what are the 17176 rules listed? >>>>>> Is this the action of the clustering hashing the packets to the >>>>>> different instances? >>>>>> >>>>>> - -- >>>>>> Peter Bates >>>>>> Senior Computer Security Officer Phone: +44(0)2076792049 >>>>>> Information Services Division Internal Ext: 32049 >>>>>> University College London >>>>>> London WC1E 6BT >>>>>> -----BEGIN PGP SIGNATURE----- >>>>>> Version: GnuPG v2.0.17 (MingW32) >>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>>>>> >>>>>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s >>>>>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn >>>>>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU >>>>>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX >>>>>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf >>>>>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI= >>>>>> =RwA7 >>>>>> -----END PGP SIGNATURE----- >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>> >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>> >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >> >> > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
