Suricata - strange kernel drop situation

Help
1

Hi!

Maybe this is gonna be a long post, sorry for that.

This is my setup:

A - Suricata monitoring 3 interfaces (port-mirror from the core switch).
B- 1 monitor WAN and the other 2 monitors LAN (two firewall interfaces).

After some testing, I noticed that having Suricata configured with the WAN and 1 of the LAN interfaces (via AF-Packet) the “kernel_drop” count is equal to 0.

sem_enp3s0f1
sem_enp3s0f11404×244 90.7 KB

Next, if I disable the WAN interface and configure Suricata with the two LAN interfaces, the “kernel_drop” count is 0 too.

com_enp3s0f1_sem enp2s0f1
com_enp3s0f1_sem enp2s0f11414×218 78.9 KB

NOTE: these tests were with the same config

If I enable all 3 interfaces at once, my “kernel_drop” count starts rising after some minutes. I tried everything from “ring-size”, “max-pending-packets”, “cpu-affinity”, “stream memcap”. I just can’t have 0 drops with the 3 interfaces activated.

Do you guys have any idea why this is happening?

Thanks in advance

2

** UPDATE **

Some drops with the second case (Two LAN interfaces activated)

Screenshot 2021-05-19 at 22.46.24
Screenshot 2021-05-19 at 22.46.241388×216 79.3 KB

After some hours, i have about 0.7% of drops with the two LAN interfaces. NOTE: if i configure Suricata with one of this LAN interfaces and the WAN interface i have 0% of drops. Maybe the most recent LAN interface has some broken config (like MTU for example).

So, the conclusion is, only one of the LAN interfaces contributes for the rising of “kernel_drops”

3

Please provide us some more details about your setup:

  • Suricata version and configuration
  • Hardware used
  • Traffic Rate

There are also some tuning recommendations:

https://suricata.readthedocs.io/en/latest/performance/index.html