Suricata 2.1.5 Update – Release Notes

bmeeks

Suricata 2.1.5 Update

A new Suricata package update has been posted.  This updates the underlying Suricata PBI binary package to v2.0.8_1. The GUI package is updated to v2.1.5.

New Features
1.  Support for PPPoE connections was back ported from the 2.1-BETA upstream code base.
2.  A new retention setting for captured TLS Certs on the LOGS MGMT tab.

Bug Fixes
1.  Log retention settings for the LOGS MGMT tab are global data but were being duplicated for each configured Suricata interface.

Cino

Bill thanks for the update! I'm having issues getting Suricata to start up with the new binary.. Right off the bat I see an error for one of the rules which I'm going to disable but the last couple of errors I don't think i've seen before. Any ideas?

14/5/2015 -- 14:20:19 - <notice>-- This is Suricata version 2.0.8 RELEASE
14/5/2015 -- 14:20:19 - <info>-- CPUs/cores online: 4
14/5/2015 -- 14:20:20 - <info>-- Live rule reloads enabled
14/5/2015 -- 14:20:20 - <info>-- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
14/5/2015 -- 14:20:20 - <info>-- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
14/5/2015 -- 14:20:20 - <info>-- HTTP memcap: 67108864
14/5/2015 -- 14:20:20 - <info>-- DNS request flood protection level: 500
14/5/2015 -- 14:20:20 - <info>-- DNS per flow memcap (state-memcap): 524288
14/5/2015 -- 14:20:20 - <info>-- DNS global memcap: 16777216
14/5/2015 -- 14:20:20 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
14/5/2015 -- 14:20:20 - <info>-- preallocated 65535 defrag trackers of size 136
14/5/2015 -- 14:20:20 - <info>-- defrag memory usage: 10485624 bytes, maximum: 33554432
14/5/2015 -- 14:20:20 - <info>-- AutoFP mode using "Active Packets" flow load balancer
14/5/2015 -- 14:20:21 - <info>-- preallocated 1024 packets. Total memory 3508224
14/5/2015 -- 14:20:21 - <info>-- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
14/5/2015 -- 14:20:21 - <info>-- preallocated 1000 hosts of size 80
14/5/2015 -- 14:20:21 - <info>-- host memory usage: 358144 bytes, maximum: 16777216
14/5/2015 -- 14:20:21 - <info>-- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
14/5/2015 -- 14:20:21 - <info>-- preallocated 10000 flows of size 216
14/5/2015 -- 14:20:21 - <info>-- flow memory usage: 6434304 bytes, maximum: 33554432
14/5/2015 -- 14:20:21 - <info>-- stream "prealloc-sessions": 32768 (per thread)
14/5/2015 -- 14:20:21 - <info>-- stream "memcap": 33554432
14/5/2015 -- 14:20:21 - <info>-- stream "midstream" session pickups: disabled
14/5/2015 -- 14:20:21 - <info>-- stream "async-oneside": disabled
14/5/2015 -- 14:20:21 - <info>-- stream "checksum-validation": disabled
14/5/2015 -- 14:20:21 - <info>-- stream."inline": disabled
14/5/2015 -- 14:20:21 - <info>-- stream "max-synack-queued": 5
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "memcap": 67108864
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "depth": 0
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "toserver-chunk-size": 2651
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "toclient-chunk-size": 2562
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly.raw: enabled
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 4, prealloc 256
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 16, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 112, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 248, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 512, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 768, prealloc 1024
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 1448, prealloc 1024
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 65535, prealloc 128
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "chunk-prealloc": 250
14/5/2015 -- 14:20:21 - <info>-- IP reputation disabled
14/5/2015 -- 14:20:21 - <info>-- using magic-file /usr/share/misc/magic
14/5/2015 -- 14:20:21 - <info>-- Delayed detect disabled
14/5/2015 -- 14:21:05 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
14/5/2015 -- 14:21:05 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 9958
14/5/2015 -- 14:21:54 - <info>-- 2 rule files processed. 16215 rules successfully loaded, 1 rules failed
14/5/2015 -- 14:21:55 - <info>-- 16219 signatures processed. 21 are IP-only rules, 6438 are inspecting packet payload, 12961 inspect application layer, 70 are decoder event only
14/5/2015 -- 14:21:55 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
14/5/2015 -- 14:22:05 - <info>-- building signature grouping structure, stage 2: building source address list... complete
14/5/2015 -- 14:23:20 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
14/5/2015 -- 14:23:38 - <warning>-- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2011803, gid 1: unknown rule
14/5/2015 -- 14:23:39 - <warning>-- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2100498, gid 1: unknown rule
14/5/2015 -- 14:23:39 - <info>-- Threshold config parsed: 8 rule(s) found
14/5/2015 -- 14:23:39 - <info>-- Core dump size is unlimited.
14/5/2015 -- 14:23:39 - <info>-- alert-pf output device (regular) initialized: block.log
14/5/2015 -- 14:23:39 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_39811_em3/passlist parsed: 30 IP addresses loaded.
14/5/2015 -- 14:23:39 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
14/5/2015 -- 14:23:39 - <info>-- fast output device (regular) initialized: alerts.log
14/5/2015 -- 14:23:39 - <info>-- Unified2-alert initialized: filename unified2.alert, limit 32 MB
14/5/2015 -- 14:23:39 - <info>-- http-log output device (regular) initialized: http.log
14/5/2015 -- 14:23:39 - <info>-- Syslog output initialized
14/5/2015 -- 14:23:39 - <info>-- Using 1 live device(s).
14/5/2015 -- 14:23:39 - <info>-- using interface em3
14/5/2015 -- 14:23:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
14/5/2015 -- 14:23:39 - <info>-- Found an MTU of 1500 for 'em3'
14/5/2015 -- 14:23:39 - <info>-- Set snaplen to 1516 for 'em3'
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/5/2015 -- 14:23:40 - <info>-- RunModeIdsPcapAutoFp initialised
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect6" closed on initialization.
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</error></error></info></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></info></info></info></info></info></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice> 

bmeeks

@Cino:

Bill thanks for the update! I'm having issues getting Suricata to start up with the new binary.. Right off the bat I see an error for one of the rules which I'm going to disable but the last couple of errors I don't think i've seen before. Any ideas?

14/5/2015 -- 14:20:19 - <notice>-- This is Suricata version 2.0.8 RELEASE
14/5/2015 -- 14:20:19 - <info>-- CPUs/cores online: 4
14/5/2015 -- 14:20:20 - <info>-- Live rule reloads enabled
14/5/2015 -- 14:20:20 - <info>-- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
14/5/2015 -- 14:20:20 - <info>-- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
14/5/2015 -- 14:20:20 - <info>-- HTTP memcap: 67108864
14/5/2015 -- 14:20:20 - <info>-- DNS request flood protection level: 500
14/5/2015 -- 14:20:20 - <info>-- DNS per flow memcap (state-memcap): 524288
14/5/2015 -- 14:20:20 - <info>-- DNS global memcap: 16777216
14/5/2015 -- 14:20:20 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
14/5/2015 -- 14:20:20 - <info>-- preallocated 65535 defrag trackers of size 136
14/5/2015 -- 14:20:20 - <info>-- defrag memory usage: 10485624 bytes, maximum: 33554432
14/5/2015 -- 14:20:20 - <info>-- AutoFP mode using "Active Packets" flow load balancer
14/5/2015 -- 14:20:21 - <info>-- preallocated 1024 packets. Total memory 3508224
14/5/2015 -- 14:20:21 - <info>-- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
14/5/2015 -- 14:20:21 - <info>-- preallocated 1000 hosts of size 80
14/5/2015 -- 14:20:21 - <info>-- host memory usage: 358144 bytes, maximum: 16777216
14/5/2015 -- 14:20:21 - <info>-- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
14/5/2015 -- 14:20:21 - <info>-- preallocated 10000 flows of size 216
14/5/2015 -- 14:20:21 - <info>-- flow memory usage: 6434304 bytes, maximum: 33554432
14/5/2015 -- 14:20:21 - <info>-- stream "prealloc-sessions": 32768 (per thread)
14/5/2015 -- 14:20:21 - <info>-- stream "memcap": 33554432
14/5/2015 -- 14:20:21 - <info>-- stream "midstream" session pickups: disabled
14/5/2015 -- 14:20:21 - <info>-- stream "async-oneside": disabled
14/5/2015 -- 14:20:21 - <info>-- stream "checksum-validation": disabled
14/5/2015 -- 14:20:21 - <info>-- stream."inline": disabled
14/5/2015 -- 14:20:21 - <info>-- stream "max-synack-queued": 5
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "memcap": 67108864
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "depth": 0
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "toserver-chunk-size": 2651
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "toclient-chunk-size": 2562
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly.raw: enabled
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 4, prealloc 256
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 16, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 112, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 248, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 512, prealloc 512
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 768, prealloc 1024
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 1448, prealloc 1024
14/5/2015 -- 14:20:21 - <info>-- segment pool: pktsize 65535, prealloc 128
14/5/2015 -- 14:20:21 - <info>-- stream.reassembly "chunk-prealloc": 250
14/5/2015 -- 14:20:21 - <info>-- IP reputation disabled
14/5/2015 -- 14:20:21 - <info>-- using magic-file /usr/share/misc/magic
14/5/2015 -- 14:20:21 - <info>-- Delayed detect disabled
14/5/2015 -- 14:21:05 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
14/5/2015 -- 14:21:05 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 9958
14/5/2015 -- 14:21:54 - <info>-- 2 rule files processed. 16215 rules successfully loaded, 1 rules failed
14/5/2015 -- 14:21:55 - <info>-- 16219 signatures processed. 21 are IP-only rules, 6438 are inspecting packet payload, 12961 inspect application layer, 70 are decoder event only
14/5/2015 -- 14:21:55 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
14/5/2015 -- 14:22:05 - <info>-- building signature grouping structure, stage 2: building source address list... complete
14/5/2015 -- 14:23:20 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
14/5/2015 -- 14:23:38 - <warning>-- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2011803, gid 1: unknown rule
14/5/2015 -- 14:23:39 - <warning>-- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2100498, gid 1: unknown rule
14/5/2015 -- 14:23:39 - <info>-- Threshold config parsed: 8 rule(s) found
14/5/2015 -- 14:23:39 - <info>-- Core dump size is unlimited.
14/5/2015 -- 14:23:39 - <info>-- alert-pf output device (regular) initialized: block.log
14/5/2015 -- 14:23:39 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_39811_em3/passlist parsed: 30 IP addresses loaded.
14/5/2015 -- 14:23:39 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
14/5/2015 -- 14:23:39 - <info>-- fast output device (regular) initialized: alerts.log
14/5/2015 -- 14:23:39 - <info>-- Unified2-alert initialized: filename unified2.alert, limit 32 MB
14/5/2015 -- 14:23:39 - <info>-- http-log output device (regular) initialized: http.log
14/5/2015 -- 14:23:39 - <info>-- Syslog output initialized
14/5/2015 -- 14:23:39 - <info>-- Using 1 live device(s).
14/5/2015 -- 14:23:39 - <info>-- using interface em3
14/5/2015 -- 14:23:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
14/5/2015 -- 14:23:39 - <info>-- Found an MTU of 1500 for 'em3'
14/5/2015 -- 14:23:39 - <info>-- Set snaplen to 1516 for 'em3'
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/5/2015 -- 14:23:40 - <info>-- RunModeIdsPcapAutoFp initialised
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect6" closed on initialization.
14/5/2015 -- 14:23:40 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</error></error></info></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></info></info></info></info></info></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice> 

Well, the first few errors are associated with that rule it does not like.  One of them, with the PCRE syntax error, is a long-running problem with an ET rule.  The other errors followed from that one.

The SC_ERR_POOL_INIT error is a new one.  I did not see that in any of my local testing.  Same for the SC_ERR_THREAT_INIT error.  That one seems to be IPv6 related.  There is another user reporting the SC_ERR_POOL_INIT error.

Bill

bmeeks

I just updated Suricata on another virtual machine.  This time a 32-bit pfSense 2.2.2 box.  No issues with the update.  I don't get the errors above.  I do get an invalid ET rule error, but it's not the error posted earlier and it is valid (that is, the rule is not valid for Suricata).

The VM I'm testing on only has 2GB of RAM assigned, so with Suricata on the WAN and LAN for testing 74% of the RAM is in use.  The box is thus somewhat loaded up, but still no memory allocation errors.

Bill

dotOne

I saw the same error during startup, SC_ERR_POOL_INIT and SC_ERR_THREAT_INIT error.
Could be IPv6 related, I'm using IPv6 on all interfaces. about 45% of all traffic is IPv6.

To solve I increased 'Stream Memory Cap' to 64Mb.

André

gsiemon

Seems that someone else had this problem with Suricata 2.07 back in March.

https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-March/004600.html

Issue appears to be related to a bug fix in 2.07:

https://redmine.openinfosecfoundation.org/issues/1318

Recommendation in the mailing list was to reduce the stream.prealloc-sessions variable.  I think this is set under:

Interfaces - Lan/Flow Stream (Tab) - Flow Manager Settings - Preallocated Sessions.  

The previous poster appears to have worked around it by increasing the Stream Memory Cap.  The current default settings seems to be not allocating enough Stream Memory for the number of Preallocated Sessions.  Either decreasing the Preallocated Sessions or increasing Stream Memory Cap should resolve the issue.

The final post in the mailing list provides some guidance for memory/preallocated session settings:

Also, how can I calculate the highest value that I can use?

TcpSession structure is 192 bytes, PoolBucket 24. So it should be:

(192 + 24) * prealloc_sessions * number of threads = memory use in bytes

For my setup, I seem to have 7 packet processing threads and 1 management thread.

For the default preallocated sessions (32768) this would require either 56623104 or 49545216 bytes of memory depending on whether the management thread is included in the calculation or not.

This would explain why increasing the Stream Memory Cap to 64MB has fixed the previous poster's (and my) problem.

Hope this helps.

DigitalDeviant

@gsiemon:

Seems that someone else had this problem with Suricata 2.07 back in March.

https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-March/004600.html

Issue appears to be related to a bug fix in 2.07:

https://redmine.openinfosecfoundation.org/issues/1318

Recommendation in the mailing list was to reduce the stream.prealloc-sessions variable.  I think this is set under:

Interfaces - Lan/Flow Stream (Tab) - Flow Manager Settings - Preallocated Sessions.  

The previous poster appears to have worked around it by increasing the Stream Memory Cap.  The current default settings seems to be not allocating enough Stream Memory for the number of Preallocated Sessions.  Either decreasing the Preallocated Sessions or increasing Stream Memory Cap should resolve the issue.

The final post in the mailing list provides some guidance for memory/preallocated session settings:

Also, how can I calculate the highest value that I can use?

TcpSession structure is 192 bytes, PoolBucket 24. So it should be:

(192 + 24) * prealloc_sessions * number of threads = memory use in bytes

For my setup, I seem to have 7 packet processing threads and 1 management thread.

For the default preallocated sessions (32768) this would require either 56623104 or 49545216 bytes of memory depending on whether the management thread is included in the calculation or not.

This would explain why increasing the Stream Memory Cap to 64MB has fixed the previous poster's (and my) problem.

Hope this helps.

This worked for me.

bmeeks

Thanks for the research.  I will adjust the default value in the next package update.

Bill

Cino

@avink:

I saw the same error during startup, SC_ERR_POOL_INIT and SC_ERR_THREAT_INIT error.
Could be IPv6 related, I'm using IPv6 on all interfaces. about 45% of all traffic is IPv6.

To solve I increased 'Stream Memory Cap' to 64Mb.

André

I changed my settings based on this post and all my interfaces are back online

viragomann

At my installation suricata also doesn't start with 64 MB at 'Stream Memory Cap', however, with 96 it does.

ccb056

@Cino:

@avink:

I saw the same error during startup, SC_ERR_POOL_INIT and SC_ERR_THREAT_INIT error.
Could be IPv6 related, I'm using IPv6 on all interfaces. about 45% of all traffic is IPv6.

To solve I increased 'Stream Memory Cap' to 64Mb.

André

I changed my settings based on this post and all my interfaces are back online

64 MB worked for me also.

stewgoin

96 worked here as well, 64 borked.

gsiemon

My guess is that 96MB worked for you as you have more processors than me.  I have 4 active processors on my setup so I get 7 packet processing threads and a management thread.  If you have more processors then you end up with more threads and therefore need more memory.

viragomann

Quad core with HT

gsiemon

@viragomann:

Quad core with HT

So you have double the number of logical processors that I have.  So you'd need a minimum of 94.5MB to make it work.

viragomann

I see. Thanks for explanation.

mcentirefj

How do you increase the stream memory cap?

Edit: Nevermind, found it in the config.xml

Edit2: Got it working. Underestimated how many threads I had. Needed to bump my stream mem cap to 168.75mb according to the formula gsiemon provided:

Also, how can I calculate the highest value that I can use?

TcpSession structure is 192 bytes, PoolBucket 24. So it should be:

(192 + 24) * prealloc_sessions * number of threads = memory use in bytes

viragomann

In the GUI, Suricata interface settings:

Suricata > Interface > Flow and Stream
"Stream Memory Cap"

SixXxShooTeR

Neither interface will start for me. I know in your Snort write up you mentioned if snort didn't start it was likely because preprocessors werent turned on. Am I missing something like that in the Suricata package?

bmeeks

@SixXxShooTeR:

Neither interface will start for me. I know in your Snort write up you mentioned if snort didn't start it was likely because preprocessors werent turned on. Am I missing something like that in the Suricata package?

No, Suricata does not have preprocessors like Snort does.  Have you looked at the log files?  There is the system log and there are log files for each Suricata interface (look on the LOGS tab in Suricata).

Bill