Support #3287
closedUsing Lua output, Suricata kernel drop high.
Description
HI, Team:
I am trying to use Lua Output to audit a specific website.At the peak of the site, I found a lot of kernel drops. When using Lua Output, I have turned off Suricata's default http output.
After discovering the kernel discard alert, I chose to turn off the Lua output and open Suricata's default http output.Solved the problem of kernel drops. This makes me suspect that the problem caused by Lua Output, how should I optimize to solve this problem?
When a kernel delete occurs, the stats.flow_mgr.new_pruned_delta value will become very large.I don't quite understand what this means.Can you explain?
I have 3 questions:
1. For this problem, can Suricata.yaml be optimized?
2. what's mean stats.flow_mgr.new_pruned_delta ?
3. luajit: states: 128 When should this value be adjusted?
Before kernel drops
------------------------------------------------------------------------------------
Date: 10/29/2019 -- 03:06:30 (uptime: 0d, 00h 01m 23s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 6542206
decoder.pkts | Total | 6694420
decoder.bytes | Total | 6863107222
decoder.ipv4 | Total | 13388752
decoder.ethernet | Total | 6694420
decoder.tcp | Total | 6491644
decoder.udp | Total | 6696085
decoder.icmpv4 | Total | 152
decoder.vlan | Total | 6694420
decoder.vxlan | Total | 6694332
decoder.avg_pkt_size | Total | 1025
decoder.max_pkt_size | Total | 9015
flow.tcp | Total | 403424
flow.udp | Total | 49909
flow.icmpv4 | Total | 27
tcp.sessions | Total | 237343
tcp.syn | Total | 237457
tcp.synack | Total | 237426
tcp.rst | Total | 109901
tcp.reassembly_gap | Total | 24933
tcp.overlap | Total | 1612937
app_layer.flow.http | Total | 154203
app_layer.tx.http | Total | 181085
app_layer.flow.failed_tcp | Total | 58304
app_layer.flow.dns_udp | Total | 1
app_layer.tx.dns_udp | Total | 2
app_layer.flow.failed_udp | Total | 49908
flow_mgr.closed_pruned | Total | 226320
flow_mgr.new_pruned | Total | 215436
flow_mgr.est_pruned | Total | 25
flow.spare | Total | 1053947
flow.tcp_reuse | Total | 10
flow_mgr.flows_checked | Total | 13201
flow_mgr.flows_notimeout | Total | 1373
flow_mgr.flows_timeout | Total | 11828
flow_mgr.flows_timeout_inuse | Total | 3451
flow_mgr.flows_removed | Total | 8377
flow_mgr.rows_checked | Total | 1048576
flow_mgr.rows_skipped | Total | 1030263
flow_mgr.rows_empty | Total | 5242
flow_mgr.rows_maxlen | Total | 2
tcp.memuse | Total | 20643840
tcp.reassembly_memuse | Total | 324192856
http.memuse | Total | 194409899
flow.memuse | Total | 415443880
kernel drops
------------------------------------------------------------------------------------
Date: 10/29/2019 -- 03:07:30 (uptime: 0d, 00h 02m 23s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 13429680
capture.kernel_drops | Total | 6429177
decoder.pkts | Total | 13598613
decoder.bytes | Total | 13832953635
decoder.ipv4 | Total | 27197129
decoder.ethernet | Total | 13598613
decoder.tcp | Total | 13192478
decoder.udp | Total | 13602126
decoder.icmpv4 | Total | 218
decoder.vlan | Total | 13598613
decoder.vxlan | Total | 13598519
decoder.avg_pkt_size | Total | 1017
decoder.max_pkt_size | Total | 9015
flow.tcp | Total | 823605
flow.udp | Total | 112050
flow.icmpv4 | Total | 59
tcp.sessions | Total | 489887
tcp.syn | Total | 490059
tcp.synack | Total | 490027
tcp.rst | Total | 233928
tcp.reassembly_gap | Total | 50030
tcp.overlap | Total | 3340027
detect.alert | Total | 1
app_layer.flow.http | Total | 314483
app_layer.tx.http | Total | 370209
app_layer.flow.failed_tcp | Total | 124134
app_layer.flow.dns_udp | Total | 2
app_layer.tx.dns_udp | Total | 4
app_layer.flow.failed_udp | Total | 112048
flow_mgr.closed_pruned | Total | 467779
flow_mgr.new_pruned | Total | 444549
flow_mgr.est_pruned | Total | 15148
flow.spare | Total | 1057524
flow.tcp_reuse | Total | 17
flow_mgr.flows_checked | Total | 11596
flow_mgr.flows_timeout | Total | 11596
flow_mgr.flows_timeout_inuse | Total | 2834
flow_mgr.flows_removed | Total | 8762
flow_mgr.rows_checked | Total | 1048576
flow_mgr.rows_skipped | Total | 1030570
flow_mgr.rows_empty | Total | 6470
flow_mgr.rows_maxlen | Total | 2
tcp.memuse | Total | 20643840
tcp.reassembly_memuse | Total | 81676632
http.memuse | Total | 87018090
flow.memuse | Total | 417751032
Files
Updated by Andreas Herz over 4 years ago
- Status changed from New to Feedback
- Assignee set to xu hui
Can you give us more details about your lua script?
Updated by xu hui over 4 years ago
- File web_http_audit_demo.lua web_http_audit_demo.lua added
Andreas Herz wrote:
Can you give us more details about your lua script?
This is my lua script.
Updated by Andreas Herz about 2 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs