Suricata losts many packets when no rulesets are loaded

wayne · January 16, 2024, 2:42am

Hello team,

I met an issue in our project which is very weird and hard to explain, really need your help here！

We are using suricata 6.0.13 currently, preferring af-packet mode and ET Pro signatures. In our first use case, we were loading no ruleset (empty file suricata.rules ) at all and then replayed pcap files with different speeds and recorded the statistics with suricatasc (unix socket) , when the speed came to 100mbps, turned out Suricata lost about 40% of the packets. After which ET Pro signatures (about 40000+) were loaded we tested 100mbps again, no packets is lost

Is this the design logic in Suricata or am I using it the wrong way? Thanks a lot

This is the configured suricata.yaml (sorry it’s too big to post)
suricata.yaml (76.6 KB)

Andreas_Herz · January 16, 2024, 8:22am

How exactly do you do the pcap replay?

How do you run suricata?

Please post suricata.log and stats.log for both cases.

The drop rate without rules being higher as with rules is not expected.

wayne · January 17, 2024, 6:31am

OK, unfortunately I lost some logs. I got some retest log with loss rate 1% on that platform

Here is the log when no additional rulesets were loaded

17/1/2024 -- 11:26:56 - <Notice> - This is Suricata version 6.0.13 RELEASE running in SYSTEM mode
17/1/2024 -- 11:26:56 - <Info> - CPUs/cores online: 4
17/1/2024 -- 11:26:56 - <Info> - Setting engine mode to IDS mode by default
17/1/2024 -- 11:26:56 - <Config> - app-layer.error-policy: ignore
17/1/2024 -- 11:26:56 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31966 and 'request-body-inspect-window' set to 3960 after randomization.
17/1/2024 -- 11:26:56 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 40567 and 'response-body-inspect-window' set to 15678 after randomization.
17/1/2024 -- 11:26:56 - <Config> - SMB stream depth: 0
17/1/2024 -- 11:26:56 - <Config> - SMB max-read-size: 0
17/1/2024 -- 11:26:56 - <Config> - SMB max-write-size: 0
17/1/2024 -- 11:26:56 - <Config> - SMB max-write-queue-size: 0
17/1/2024 -- 11:26:56 - <Config> - SMB max-write-queue-cnt: 0
17/1/2024 -- 11:26:56 - <Config> - SMB max-read-queue-size: 0
17/1/2024 -- 11:26:56 - <Config> - SMB max-read-queue-cnt: 0
17/1/2024 -- 11:26:56 - <Config> - read: max record size: 0, max queued chunks 0, max queued size 0
17/1/2024 -- 11:26:56 - <Config> - write: max record size: 0, max queued chunks 0, max queued size 0
17/1/2024 -- 11:26:56 - <Config> - Protocol detection and parser disabled for modbus protocol.
17/1/2024 -- 11:26:56 - <Config> - Protocol detection and parser disabled for enip protocol.
17/1/2024 -- 11:26:56 - <Config> - Protocol detection and parser disabled for DNP3.
17/1/2024 -- 11:26:56 - <Info> - Found an MTU of 9000 for 'eno3'
17/1/2024 -- 11:26:56 - <Info> - Found an MTU of 9000 for 'eno3'
17/1/2024 -- 11:26:56 - <Info> - Use pid file /var/run/suricata.pid from config file.
17/1/2024 -- 11:26:56 - <Error> - [ERRCODE: SC_ERR_PIDFILE_OPEN(152)] - unable to set pidfile '/var/run/suricata.pid': Permission denied
17/1/2024 -- 11:26:56 - <Error> - [ERRCODE: SC_ERR_PIDFILE_DAEMON(154)] - Unable to create PID file, concurrent run of Suricata can occur.
17/1/2024 -- 11:26:56 - <Error> - [ERRCODE: SC_ERR_PIDFILE_DAEMON(154)] - PID file creation WILL be mandatory for daemon mode in future version
17/1/2024 -- 11:26:56 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
17/1/2024 -- 11:26:56 - <Config> - preallocated 1000 hosts of size 136
17/1/2024 -- 11:26:56 - <Config> - host memory usage: 398144 bytes, maximum: 33554432
17/1/2024 -- 11:26:56 - <Config> - Core dump size is unlimited.
17/1/2024 -- 11:26:56 - <Config> - defrag.memcap-policy: ignore
17/1/2024 -- 11:26:56 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
17/1/2024 -- 11:26:56 - <Config> - preallocated 65535 defrag trackers of size 160
17/1/2024 -- 11:26:56 - <Config> - defrag memory usage: 14155616 bytes, maximum: 209715200
17/1/2024 -- 11:26:56 - <Config> - flow.memcap-policy: ignore
17/1/2024 -- 11:26:56 - <Config> - flow size 320, memcap allows for 1677721 flows. Per hash row in perfect conditions 25
17/1/2024 -- 11:26:56 - <Config> - stream "prealloc-sessions": 2048 (per thread)
17/1/2024 -- 11:26:56 - <Config> - stream "memcap": 268435456
17/1/2024 -- 11:26:56 - <Config> - stream "midstream" session pickups: disabled
17/1/2024 -- 11:26:56 - <Config> - stream "async-oneside": disabled
17/1/2024 -- 11:26:56 - <Config> - stream "checksum-validation": enabled
17/1/2024 -- 11:26:56 - <Config> - stream.memcap-policy: ignore
17/1/2024 -- 11:26:56 - <Config> - stream.reassembly.memcap-policy: ignore
17/1/2024 -- 11:26:56 - <Config> - memcap-policy: 0/0
17/1/2024 -- 11:26:56 - <Config> - stream.midstream-policy: ignore
17/1/2024 -- 11:26:56 - <Config> - stream."inline": enabled
17/1/2024 -- 11:26:56 - <Config> - stream "bypass": disabled
17/1/2024 -- 11:26:56 - <Config> - stream "max-synack-queued": 5
17/1/2024 -- 11:26:56 - <Config> - stream.reassembly "memcap": 268435456
17/1/2024 -- 11:26:56 - <Config> - stream.reassembly "depth": 1048576
17/1/2024 -- 11:26:56 - <Config> - stream.reassembly "toserver-chunk-size": 2578
17/1/2024 -- 11:26:56 - <Config> - stream.reassembly "toclient-chunk-size": 2681
17/1/2024 -- 11:26:56 - <Config> - stream.reassembly.raw: enabled
17/1/2024 -- 11:26:56 - <Config> - stream.liberal-timestamps: disabled
17/1/2024 -- 11:26:56 - <Config> - stream.reassembly "segment-prealloc": 2048
17/1/2024 -- 11:26:56 - <Info> - eve-log output device (regular) initialized: suricata_event.json
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'alert'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'anomaly'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'http'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'dns'
17/1/2024 -- 11:26:56 - <Config> - eve-log dns version not set, defaulting to version 2
17/1/2024 -- 11:26:56 - <Config> - eve-log dns version not set, defaulting to version 2
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'tls'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'files'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'smtp'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'ftp'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'rdp'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'nfs'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'smb'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'tftp'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'ikev2'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'dcerpc'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'krb5'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'snmp'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'rfb'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'sip'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'dhcp'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'ssh'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'mqtt'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'stats'
17/1/2024 -- 11:26:56 - <Config> - enabling 'eve-log' module 'flow'
17/1/2024 -- 11:26:56 - <Info> - stats output device (regular) initialized: stats.log
17/1/2024 -- 11:26:56 - <Config> - dataset: Domain-CDC-Rep loading from '/opt/suricata/etc/suricata/rules/TI/Domain_Rep_CDC.lst'
17/1/2024 -- 11:26:56 - <Config> - dataset: Domain-CDC-Rep loaded 0 records
17/1/2024 -- 11:26:56 - <Config> - Delayed detect disabled
17/1/2024 -- 11:26:56 - <Config> - pattern matchers: MPM: ac, SPM: bm
17/1/2024 -- 11:26:56 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
17/1/2024 -- 11:26:56 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
17/1/2024 -- 11:26:56 - <Config> - prefilter engines: MPM
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_uri
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_uri
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_uri
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_uri
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_request_line
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_client_body
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_response_line
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header_names
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header_names
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header_names
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_header_names
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_accept
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_accept
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_accept_enc
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_accept_enc
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_accept_lang
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_accept_lang
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_referer
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_referer
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_connection
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_connection
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_len
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_len
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_len
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_len
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_type
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_type
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_type
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_content_type
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http.server
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http.server
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http.location
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http.location
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_protocol
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_protocol
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_start
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_start
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_method
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_method
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_cookie
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_cookie
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_cookie
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_cookie
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file.magic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_user_agent
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_user_agent
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_host
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_host
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_host
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_raw_host
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_stat_msg
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_stat_code
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http_stat_code
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http2_header_name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http2_header_name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http2_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for http2_header
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for dns_query
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for dnp3_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for dnp3_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tls.sni
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tls.cert_issuer
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tls.cert_subject
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tls.cert_serial
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tls.cert_fingerprint
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tls.certs
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ja3.hash
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ja3.string
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ja3s.hash
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ja3s.string
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for dce_stub_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for dce_stub_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for dce_stub_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for dce_stub_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for smb_named_pipe
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for smb_share
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh.proto
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh.proto
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh_software
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh_software
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh.hassh
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh.hassh.server
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh.hassh.string
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ssh.hassh.server.string
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for file_data
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for krb5_cname
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for krb5_sname
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.method
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.uri
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.protocol
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.protocol
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.method
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.stat_msg
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.request_line
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for sip.response_line
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for rfb.name
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for snmp.community
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for snmp.community
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.connect.clientid
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.connect.username
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.connect.password
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.connect.willtopic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.connect.willmessage
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.publish.topic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.publish.message
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.subscribe.topic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for mqtt.unsubscribe.topic
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for icmpv4.hdr
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tcp.hdr
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for udp.hdr
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for icmpv6.hdr
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ipv4.hdr
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for ipv6.hdr
17/1/2024 -- 11:26:56 - <Info> - Loading reputation file: /opt/suricata/etc/suricata/rules/TI/IP_Rep_CDC.lst
17/1/2024 -- 11:26:56 - <Perf> - host memory usage: 398144 bytes, maximum: 33554432
17/1/2024 -- 11:26:56 - <Config> - Loading rule file: /opt/suricata/etc/suricata/rules/suricata.rules
17/1/2024 -- 11:26:56 - <Config> - No rules loaded from suricata.rules.
17/1/2024 -- 11:26:56 - <Config> - Loading rule file: /opt/suricata/etc/suricata/rules/suricata_ti.rules
17/1/2024 -- 11:26:56 - <Info> - 2 rule files processed. 2 rules successfully loaded, 0 rules failed
17/1/2024 -- 11:26:56 - <Info> - Threshold config parsed: 0 rule(s) found
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tcp-packet
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for tcp-stream
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for udp-packet
17/1/2024 -- 11:26:56 - <Perf> - using shared mpm ctx' for other-ip
17/1/2024 -- 11:26:56 - <Info> - 2 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only
17/1/2024 -- 11:26:56 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
17/1/2024 -- 11:26:56 - <Perf> - TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
17/1/2024 -- 11:26:56 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
17/1/2024 -- 11:26:56 - <Perf> - UDP toserver: 1 port groups, 1 unique SGH's, 0 copies
17/1/2024 -- 11:26:56 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
17/1/2024 -- 11:26:56 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
17/1/2024 -- 11:26:56 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
17/1/2024 -- 11:26:56 - <Perf> - Unique rule groups: 2
17/1/2024 -- 11:26:56 - <Perf> - Builtin MPM "toserver TCP packet": 0
17/1/2024 -- 11:26:56 - <Perf> - Builtin MPM "toclient TCP packet": 0
17/1/2024 -- 11:26:56 - <Perf> - Builtin MPM "toserver TCP stream": 0
17/1/2024 -- 11:26:56 - <Perf> - Builtin MPM "toclient TCP stream": 0
17/1/2024 -- 11:26:56 - <Perf> - Builtin MPM "toserver UDP packet": 0
17/1/2024 -- 11:26:56 - <Perf> - Builtin MPM "toclient UDP packet": 0
17/1/2024 -- 11:26:56 - <Perf> - Builtin MPM "other IP packet": 0
17/1/2024 -- 11:26:56 - <Config> - Enabling tpacket v3 capture on iface eno3
17/1/2024 -- 11:26:56 - <Perf> - eno3: disabling gro offloading
17/1/2024 -- 11:26:56 - <Perf> - eno3: disabling tso offloading
17/1/2024 -- 11:26:56 - <Perf> - eno3: disabling gso offloading
17/1/2024 -- 11:26:56 - <Perf> - eno3: disabling sg offloading
17/1/2024 -- 11:26:56 - <Config> - eno3: enabling zero copy mode by using data release call
17/1/2024 -- 11:26:56 - <Info> - Going to use 4 thread(s)
17/1/2024 -- 11:26:57 - <Config> - using 1 flow manager threads
17/1/2024 -- 11:26:57 - <Config> - using 1 flow recycler threads
17/1/2024 -- 11:26:57 - <Info> - Using unix socket file '/opt/suricata/var/run/suricata/suricata-command.socket'
17/1/2024 -- 11:26:57 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
17/1/2024 -- 11:26:57 - <Perf> - AF_PACKET V3 RX Ring params: block_size=32768 block_nr=2501 frame_size=9120 frame_nr=7503 (mem: 81952768)
17/1/2024 -- 11:26:58 - <Perf> - AF_PACKET V3 RX Ring params: block_size=32768 block_nr=2501 frame_size=9120 frame_nr=7503 (mem: 81952768)
17/1/2024 -- 11:26:58 - <Perf> - AF_PACKET V3 RX Ring params: block_size=32768 block_nr=2501 frame_size=9120 frame_nr=7503 (mem: 81952768)
17/1/2024 -- 11:26:58 - <Perf> - AF_PACKET V3 RX Ring params: block_size=32768 block_nr=2501 frame_size=9120 frame_nr=7503 (mem: 81952768)
17/1/2024 -- 11:26:58 - <Info> - All AFP capture threads are running.

final part of the stats.log

------------------------------------------------------------------------------------
Date: 1/17/2024 -- 14:16:58 (uptime: 0d, 02h 50m 02s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 72436260
capture.kernel_drops                          | Total                     | 695465
decoder.pkts                                  | Total                     | 71740795
decoder.bytes                                 | Total                     | 20945030549
decoder.ipv4                                  | Total                     | 61985836
decoder.ipv6                                  | Total                     | 163755
decoder.ethernet                              | Total                     | 71740795
decoder.tcp                                   | Total                     | 44637830
tcp.syn                                       | Total                     | 555597
tcp.synack                                    | Total                     | 92170
tcp.rst                                       | Total                     | 205019
decoder.udp                                   | Total                     | 14840172
decoder.icmpv4                                | Total                     | 2533535
decoder.icmpv6                                | Total                     | 54930
decoder.vlan                                  | Total                     | 7218972
decoder.avg_pkt_size                          | Total                     | 291
decoder.max_pkt_size                          | Total                     | 8998
flow.tcp                                      | Total                     | 210460
flow.udp                                      | Total                     | 409798
flow.icmpv4                                   | Total                     | 378
flow.icmpv6                                   | Total                     | 909
flow.tcp_reuse                                | Total                     | 16016
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 3530
decoder.event.ipv4.opt_pad_required           | Total                     | 2853
decoder.event.ipv6.zero_len_padn              | Total                     | 1584
flow.wrk.flows_evicted_needs_work             | Total                     | 12401
flow.wrk.flows_evicted_pkt_inject             | Total                     | 23731
flow.wrk.flows_evicted                        | Total                     | 262238
flow.wrk.flows_injected                       | Total                     | 9768
tcp.sessions                                  | Total                     | 181748
tcp.pseudo                                    | Total                     | 5472
tcp.invalid_checksum                          | Total                     | 2130538
tcp.stream_depth_reached                      | Total                     | 13
tcp.reassembly_gap                            | Total                     | 20639
tcp.overlap                                   | Total                     | 60796
tcp.overlap_diff_data                         | Total                     | 1
tcp.insert_list_fail                          | Total                     | 2312
app_layer.flow.http                           | Total                     | 10059
app_layer.tx.http                             | Total                     | 15094
app_layer.flow.tls                            | Total                     | 5510
app_layer.flow.ssh                            | Total                     | 322
app_layer.flow.smb                            | Total                     | 1477
app_layer.tx.smb                              | Total                     | 63437
app_layer.flow.dcerpc_tcp                     | Total                     | 1155
app_layer.tx.dcerpc_tcp                       | Total                     | 4522
app_layer.flow.dns_tcp                        | Total                     | 262
app_layer.tx.dns_tcp                          | Total                     | 537
app_layer.flow.ntp                            | Total                     | 224
app_layer.tx.ntp                              | Total                     | 9675
app_layer.flow.krb5_tcp                       | Total                     | 786
app_layer.tx.krb5_tcp                         | Total                     | 711
app_layer.flow.dhcp                           | Total                     | 2705
app_layer.tx.dhcp                             | Total                     | 56923
app_layer.flow.snmp                           | Total                     | 75
app_layer.tx.snmp                             | Total                     | 1139760
app_layer.flow.rdp                            | Total                     | 10
app_layer.tx.rdp                              | Total                     | 30
app_layer.flow.failed_tcp                     | Total                     | 8552
app_layer.flow.dcerpc_udp                     | Total                     | 544
app_layer.tx.dcerpc_udp                       | Total                     | 18891
app_layer.flow.dns_udp                        | Total                     | 37723
app_layer.tx.dns_udp                          | Total                     | 269255
app_layer.flow.failed_udp                     | Total                     | 368527
flow.mgr.full_hash_pass                       | Total                     | 43
flow.spare                                    | Total                     | 11005
flow.mgr.rows_maxlen                          | Total                     | 6
flow.mgr.flows_checked                        | Total                     | 465960
flow.mgr.flows_notimeout                      | Total                     | 156162
flow.mgr.flows_timeout                        | Total                     | 309798
flow.mgr.flows_evicted                        | Total                     | 359307
flow.mgr.flows_evicted_needs_work             | Total                     | 9768
tcp.memuse                                    | Total                     | 2424832
tcp.reassembly_memuse                         | Total                     | 393216
flow.memuse                                   | Total                     | 7971264

wayne · January 17, 2024, 6:38am

I run Suricata with /opt/suricata/bin/suricata --af-packet=eno3 -c /opt/suricata/etc/suricata/suricata.yaml in the docker container, the memory limitation is 4GB, unlimited cpu (4 cores)

Replay the traffic with tcpreplay -i eno3 -M 100 /opt/ssm/02_PerformanceTest_V2.3/OnsitePcap/01_HR_sensor02.pcap on the other machine which is directed connected with ethernet cable

Andreas_Herz · February 28, 2024, 8:18pm

In the logs you can see that there are permission denied messages but also that potentially a second instance is running. Can you post htop and perf top -p $(pidof suricata) output when the high drop rate occurs live?

Topic		Replies	Views
Suricata 6.0.1 high packet loss Help	16	3435	March 4, 2021
Kernel Drops and Optimization Recommendations Help	6	1792	June 29, 2021
Packets dropping or not Help	1	317	September 9, 2021
Suricata 7.0.0 IPS AF_Packet+RSS huge drop in performance Help	10	662	August 30, 2023
Http.log failed to log all http\s events	7	537	February 21, 2023

Suricata losts many packets when no rulesets are loaded

Related Topics