sostat: fix Suricata AF_PACKET packet loss calculation

Security-Onion-Solutions / security-onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

https://securityonion.net

3.07k stars 522 forks source link

sostat: fix Suricata AF_PACKET packet loss calculation #1774

Closed dougburks closed 4 years ago

dougburks commented 4 years ago

From https://suricata.readthedocs.io/en/suricata-4.1.8/performance/statistics.html#kernel-drops:

stats.log contains interesting information in the capture.kernel_packets and capture.kernel_drops. The meaning of them is different following the capture mode.

In AF_PACKET mode:

kernel_packets is the number of packets correctly sent to userspace
kernel_drops is the number of packets that have been discarded instead of being sent to userspace

In PF_RING mode:

kernel_packets is the total number of packets seen by pf_ring
kernel_drops is the number of packets that have been discarded instead of being sent to userspace

So the packet loss calculation should determine if we are using AF_PACKET or PF_RING and calculate accordingly.

dougburks commented 4 years ago

List of packages to be tested:

securityonion-sostat - 20120722-0ubuntu0securityonion145

An overview of the testing process can be found in the comments below.

Please record all testing results via comments on this issue.

Thanks in advance for your time effort!

dougburks commented 4 years ago

How To Start Testing

install the current 16.04 ISO image
snapshot the VM if possible

add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test

update:
```
sudo soup
```

dougburks commented 4 years ago

Review the Suricata documentation above and the new logic in https://github.com/Security-Onion-Solutions/securityonion-sostat/commit/6e8ec9216cd52b873d903a47eed867450a18368c.
Run Setup and configure for Suricata and 1 worker.
After Setup completes, run sudo sostat and verify that the Suricata section shows zero packet loss.
Create lots of traffic to induce packet loss. Run sudo sostat and verify the Suricata section now shows packet loss.
Switch from AF_PACKET to PF_RING by commenting out the SURICATA_CAPTURE="af-packet" line in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf and then restart Suricata:
```
sudo so-nids-restart
```
Run sudo sostat and verify the Suricata section shows no packet loss.
Create lots of traffic to induce packet loss. Run sudo sostat and verify the Suricata section now shows packet loss.

bryant-treacle commented 4 years ago

Tested Good!!

I was able to generate the below packet loss: Suricata Packet loss with AF_PACKET: 5.9% Suricata Packet loss with PF_RING: 10%

dougburks commented 4 years ago

Thanks @bryant-treacle !

dougburks commented 4 years ago

Published: https://blog.securityonion.net/2020/06/securityonion-sostat-20120722.html

j-bernal commented 4 years ago

Tested Good.

I ran through testing with 0% packet loss using AF_PACKET and PF_RING.