DDoS related (hping3)
34 views
Skip to first unread message
Bob
May 24, 2025, 4:30:05 AM5/24/25
to Wazuh | Mailing List
There's a huge difference between these two commands:
- sudo hping3 -S -p 80 --flood 192.168.0.152
(2329458 packets were sent)
- sudo hping3 -S -p 80 --flood --rand-source 192.168.0.152
(820749 packets were sent)
(it didn't fully fit but I hope you get the point)
Now I'm wondering what exactly is filling up that queue so much considering that I only have two things in agent's ossec.conf
These two being:
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</ossec_config>
yes I removed journald and drpk
no I won't put them back
and if you're wondering, no I didn't touch agent's max queue
just simply looking at the sheer lenght of those "Agent event queue is full. Events may be lost." makes me thing that simply raising from 5000 to whatever won't do much
Correct me if I'm wrong or suggest something
I'm out of ideas
- sudo hping3 -S -p 80 --flood 192.168.0.152
(2329458 packets were sent)
- sudo hping3 -S -p 80 --flood --rand-source 192.168.0.152
(820749 packets were sent)
(it didn't fully fit but I hope you get the point)
Now I'm wondering what exactly is filling up that queue so much considering that I only have two things in agent's ossec.conf
These two being:
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</ossec_config>
yes I removed journald and drpk
no I won't put them back
and if you're wondering, no I didn't touch agent's max queue
just simply looking at the sheer lenght of those "Agent event queue is full. Events may be lost." makes me thing that simply raising from 5000 to whatever won't do much
Correct me if I'm wrong or suggest something
I'm out of ideas
hasitha.u...@wazuh.com
May 24, 2025, 6:37:50 AM5/24/25
to Wazuh | Mailing List
Hi
Bob
I have tested the same, I found the issue, actually once you run this command, sudo hping3 -S -p 80 --flood --rand-source 192.168.0.152
It will generate high rate of events in /var/log/suricata/eve.json, that's why you will receive these messages: Agent event queue is full. Events may be lost.
You can set up log filtering on the collection side to stop sending unimportant (informational) logs to the Wazuh manager. You can use the query, ignore, and restrict options in the localfile configuration to control which logs get forwarded.
For more details, you can refer to these documents.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#ignore
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#restrict
Let me know if you need further assistance on this.
Regards,
Hasitha Upekshitha
I have tested the same, I found the issue, actually once you run this command, sudo hping3 -S -p 80 --flood --rand-source 192.168.0.152
It will generate high rate of events in /var/log/suricata/eve.json, that's why you will receive these messages: Agent event queue is full. Events may be lost.
You can set up log filtering on the collection side to stop sending unimportant (informational) logs to the Wazuh manager. You can use the query, ignore, and restrict options in the localfile configuration to control which logs get forwarded.
For more details, you can refer to these documents.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#ignore
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#restrict
Let me know if you need further assistance on this.
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages