Closed dougburks closed 4 years ago
List of packages to be tested:
An overview of the testing process can be found in the comments below.
Please record all testing results via comments on this issue.
Thanks in advance for your time effort!
How To Start Testing
install the current 16.04 ISO image
snapshot the VM if possible
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
update:
sudo soup
Review the Suricata documentation above and the new logic in https://github.com/Security-Onion-Solutions/securityonion-sostat/commit/6e8ec9216cd52b873d903a47eed867450a18368c.
Run Setup and configure for Suricata and 1 worker.
After Setup completes, run sudo sostat
and verify that the Suricata section shows zero packet loss.
Create lots of traffic to induce packet loss. Run sudo sostat
and verify the Suricata section now shows packet loss.
Switch from AF_PACKET to PF_RING by commenting out the SURICATA_CAPTURE="af-packet"
line in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf and then restart Suricata:
sudo so-nids-restart
Run sudo sostat
and verify the Suricata section shows no packet loss.
Create lots of traffic to induce packet loss. Run sudo sostat
and verify the Suricata section now shows packet loss.
Tested Good!!
I was able to generate the below packet loss: Suricata Packet loss with AF_PACKET: 5.9% Suricata Packet loss with PF_RING: 10%
Thanks @bryant-treacle !
Tested Good.
I ran through testing with 0% packet loss using AF_PACKET and PF_RING.
From https://suricata.readthedocs.io/en/suricata-4.1.8/performance/statistics.html#kernel-drops:
So the packet loss calculation should determine if we are using AF_PACKET or PF_RING and calculate accordingly.