Hello Stefan, hello Peter, hello *,
@Stefan: Thank you again for building the ISO with Suricata 5.0.0-beta1, Rust and current libhtp.
@Peter: Sorry for having not answered your question: The problem is not only related to DNS traffic, but to new connections in general (no matter if they are encrypted or plain text) - see below for details.
Initially, Suricata refuses to start:
Sep 8 11:59:43 maverick suricata: [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active Sep 8 11:59:43 maverick suricata: [ERRCODE: SC_ERR_NFQ_OPEN(68)] - no queue for given index Sep 8 11:59:43 maverick suricata: [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq thread failed to initialize
Although statistics are disabled in /etc/suricata/suricata.yaml , enabling the statistics logger was necessary. Perhaps a glitch in the beta version, as the statistics log file is empty.
Instead of passing the NFQ indices one by one ("-q 0 -q 1 -q 2 -q 3"), Suricata now likes them as a range: "-q 0:3" After changing this in the initscript and deleting orphaned PID file, Suricata starts correctly.
Initialisation procedure takes 87 seconds on my testing hardware, which is approximately two times faster compared to Suricata 4.x. Rule parsing works, all tested attacks were successfully detected.
Resource consumption of Suricata 5.x is a bit lower compared to 4.x .
Unfortunately, both of my problems can be reproduced with that image: (a) Poor OpenVPN throughput. This has improved a bit to 1.2 MB/sec peak, but still is lower than the 2.1 MB/sec I observe on another productive machine. (b) Establishing connections and DNS resolutions takes age Regardless of SSH, HTTP, HTTPS, SMTPS or IMAPS, establishing a new connection takes 1-2 seconds due to massive packet loss. Resolving DNS records using "dig" or "host" is fast, but using "wget" or "curl" is slow.
Increasing memory allocations or "max-pending-packets" did not help again. That being said, I think we can be more generous regarding our memory allocations, as most RAM of my testing hardware stayed unallocated. :-)
As Eric Leblond already mentioned on the OISF mailing list, the actual problem seems to be something else (netfilter/iptables/?).
Version commands for reference:
[root@maverick ~]# suricata -V This is Suricata version 5.0.0-beta1 RELEASE
[root@maverick ~]# uname -a Linux maverick 4.14.138-ipfire #1 SMP Sat Sep 7 06:27:36 GMT 2019 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux
[root@maverick ~]# suricata --build-info This is Suricata version 5.0.0-beta1 RELEASE Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LIBJANSSON TLS MAGIC RUST SIMD support: none Atomic intrisics: 1 2 4 8 byte(s) 64-bits, Little-endian architecture GCC version 8.3.0, C version 199901 compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30
Suricata Configuration: AF_PACKET support: yes eBPF support: no XDP support: no PF_RING support: no NFQueue support: yes NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no
Unix socket enabled: yes Detection enabled: yes
Libmagic support: yes libnss support: yes libnspr support: yes libjansson support: yes liblzma support: yes hiredis support: no hiredis async with libevent: no Prelude support: no PCRE jit: yes LUA support: no libluajit: no libgeoip: no Non-bundled htp: yes Old barnyard2 support: no Hyperscan support: yes Libnet support: yes liblz4 support: no
Rust support: yes Rust strict mode: no Rust debug mode: no Rust compiler: rustc 1.37.0 (eae3437df 2019-08-13) Rust cargo: cargo 1.37.0 (9edd08916 2019-08-02)
Python support: no Python path: not set Python version: not set Python distutils no Python yaml no Install suricatactl: requires python Install suricatasc: requires python Install suricata-update: not bundled
Profiling enabled: no Profiling locks enabled: no
Development settings: Coccinelle / spatch: no Unit tests enabled: no Debug output enabled: no Debug validation enabled: no
Generic build parameters: Installation prefix: /usr Configuration directory: /etc/suricata/ Log directory: /var/log/suricata/
--prefix /usr --sysconfdir /etc --localstatedir /var --datarootdir /usr/share
Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / gcc (real) GCC Protect enabled: yes GCC march native enabled: no GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -O2 -pipe -Wall -fexceptions -fPIC -m64 -mindirect-branch=thunk -mfunction-return=thunk -mtune=generic -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -I${srcdir}/../rust/gen/c-headers PCAP_CFLAGS -I/usr/include SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Thanks, and best regards, Peter Müller