Project

General

Profile

Actions

Support #3420

closed

suricatca filestore v1 and v2 loss files after a period of time

Added by KingJJ wang over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

hello ,I have a problem:
i find suricata file-store work well at first few minutes . it can find and store 100% files.
But after a few minutes,it will only find and store 1% or less files.

My version Suricata version
i test Suricata version:5.0.0 4.0.4
i test linux os in CentOS release 6.10 and CentOS Linux release 7.7.1908


Files

suricata_scirius.yaml.html (66.8 KB) suricata_scirius.yaml.html config.yaml KingJJ wang, 12/18/2019 02:54 AM
stats.log (1.05 MB) stats.log KingJJ wang, 12/30/2019 08:53 AM
Actions #1

Updated by KingJJ wang over 4 years ago

and . i find alert log will loss like file store .
i write only a rule: alert http {myip} any -> {ipA} any (...)
then i curl {IPA} 10000 times.
at first , alert count in fast.log is right.
But after a few minutes, the same sig'alert in fast.log don't quantitative growth anymore.

This moment,i curl {IPA} 1000 times, alert only grow up 200 times in fast.log .

Actions #2

Updated by Victor Julien over 4 years ago

  • Tracker changed from Bug to Support

Can you share your stats.log? It may hold clues about why this happens.

Actions #3

Updated by KingJJ wang about 4 years ago

Victor Julien wrote:

Can you share your stats.log? It may hold clues about why this happens.

ok,thank you.
here is stats.log files
when start suricat,it store 100% files,but after a few times ,it can not store files. i down load more than 500 times, suricat only alert and store 2 files.

Actions #4

Updated by KingJJ wang about 4 years ago

hello,support .

what can i do next ?
tahnk you.

Actions #5

Updated by bx zhang about 4 years ago

i always meet the problem too,but my problem are more securius. because sometimes i will not get the alerts, because of the packets rebuild error in the env of 700mbps.
How can i make my ether optimize to get more alerts for filestore;

Actions #6

Updated by Andreas Herz about 4 years ago

you could try to see if you can reproduce it with a specific traffic that you record as pcap and do a -r run with suricata, that might help to narrow it down or give an indication if it's related to the way you run suricata.

There are also quite high numbers of file insert fails in the stats.

Actions #7

Updated by Andreas Herz over 3 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF