Hello everyone, please help me
File suricata.yaml
af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: eth1
buffer-size: 64535
use-mmap: yes
- interface: eth1
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
suricata running
sudo suricata -c /etc/suricata/suricata.yam --af-packet -v
suricata output
suricara rules
vjulien
July 28, 2024, 5:53am
2
Screenshot shows a tcp rule, but a udp test?
Can you show your suricata stats.log output?
yes I did an attack using SYN flood, but I want to test it as a legitimate user to send packets to the target, but I found my QoS measurements are still bad, what should I do? I want to know the QoS measurements (Throughput, Delay, Packetloss) after implementing IPS Suricata, in my opinion after implementing IPS Suricata, my QoS measurements will be better than before implementing IPS Suricata but apparently not.
actually I am simulating QoS measurements during an attack and during an attack by applying IPS.
Please help me
Please provide the stats.log as previously mentioned.
please wait, i will share
I can’t send the file because it’s too big, but I attached the following image. I’m really waiting for your help, because I really need it.
This is what my test log looks like today, but the problem is still the same.
this log display, I use rules to drop ICMP
Date: 7/30/2024 -- 17:51:06 (uptime: 0d, 02h 12m 39s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
ips.accepted | Total | 35767149
ips.blocked | Total | 95206
ips.drop_reason.flow_drop | Total | 91421
ips.drop_reason.rules | Total | 2639
ips.drop_reason.stream_error | Total | 102
ips.drop_reason.stream_midstream | Total | 43
ips.drop_reason.tunnel_packet_drop | Total | 1001
capture.kernel_packets | Total | 42651683
capture.kernel_drops | Total | 6789571
capture.afpacket.busy_loop_avg | Total | 1
capture.afpacket.polls | Total | 25857
capture.afpacket.poll_timeout | Total | 301
capture.afpacket.poll_data | Total | 25556
capture.afpacket.send_errors | Total | 614310
decoder.pkts | Total | 35862355
decoder.bytes | Total | 13281945047
decoder.invalid | Total | 614310
decoder.ipv4 | Total | 18811147
decoder.ipv6 | Total | 2840138
decoder.ethernet | Total | 35862355
decoder.arp | Total | 248892
decoder.unknown_ethertype | Total | 13963179
decoder.tcp | Total | 132231
tcp.syn | Total | 77
tcp.synack | Total | 2499
tcp.rst | Total | 26627
decoder.udp | Total | 20804947
decoder.icmpv4 | Total | 69405
decoder.icmpv6 | Total | 1164
decoder.avg_pkt_size | Total | 370
decoder.max_pkt_size | Total | 1530
tcp.active_sessions | Total | 1
flow.total | Total | 1095
flow.active | Total | 133
flow.tcp | Total | 91
flow.udp | Total | 654
flow.icmpv4 | Total | 10
flow.icmpv6 | Total | 340
flow.tcp_reuse | Total | 1
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 13
defrag.ipv4.fragments | Total | 3280
defrag.ipv4.reassembled | Total | 1001
decoder.event.ipv4.trunc_pkt | Total | 614310
decoder.event.ipv4.opt_pad_required | Total | 25948
decoder.event.ipv6.zero_len_padn | Total | 623
decoder.event.ipv4.frag_overlap | Total | 759
flow.wrk.flows_evicted_needs_work | Total | 17
flow.wrk.flows_evicted_pkt_inject | Total | 30
flow.wrk.flows_evicted | Total | 21
flow.wrk.flows_injected | Total | 17
flow.wrk.flows_injected_max | Total | 1
tcp.sessions | Total | 48
tcp.ssn_from_cache | Total | 15
tcp.ssn_from_pool | Total | 33
tcp.invalid_checksum | Total | 26
tcp.pkt_on_wrong_thread | Total | 33
tcp.ack_unseen_data | Total | 102
tcp.segment_from_cache | Total | 247
tcp.segment_from_pool | Total | 206
tcp.reassembly_gap | Total | 129
tcp.overlap | Total | 45
detect.alert | Total | 2641
app_layer.flow.http | Total | 13
app_layer.tx.http | Total | 14
app_layer.flow.dhcp | Total | 9
app_layer.tx.dhcp | Total | 16507933
app_layer.flow.failed_tcp | Total | 9
app_layer.flow.dns_udp | Total | 447
app_layer.tx.dns_udp | Total | 173579
app_layer.flow.failed_udp | Total | 198
flow.end.state.new | Total | 720
flow.end.state.established | Total | 217
flow.end.state.closed | Total | 25
flow.end.tcp_state.syn_sent | Total | 12
flow.end.tcp_state.syn_recv | Total | 1
flow.end.tcp_state.established | Total | 5
flow.end.tcp_state.fin_wait2 | Total | 1
flow.end.tcp_state.time_wait | Total | 2
flow.end.tcp_state.close_wait | Total | 3
flow.end.tcp_state.closed | Total | 23
flow.end.tcp_liberal | Total | 5
flow.mgr.full_hash_pass | Total | 786
flow.mgr.rows_per_sec | Total | 6553
flow.spare | Total | 9641
flow.mgr.rows_maxlen | Total | 1
flow.mgr.flows_checked | Total | 5173
flow.mgr.flows_notimeout | Total | 4216
flow.mgr.flows_timeout | Total | 957
flow.mgr.flows_evicted | Total | 958
flow.mgr.flows_evicted_needs_work | Total | 17
memcap_pressure | Total | 5
memcap_pressure_max | Total | 5
flow.recycler.recycled | Total | 941
flow.recycler.queue_max | Total | 5
tcp.memuse | Total | 2424832
tcp.reassembly_memuse | Total | 464896
http.memuse | Total | 628
flow.memuse | Total | 7154304
decoder.unknown_ethertypes is pretty high – ~30%. Is that expected?
