[Oisf-devel] Suricata performance in ips-copy mode

Peter Manev petermanev at gmail.com
Tue Jun 11 08:07:04 UTC 2013 

On Tue, Jun 11, 2013 at 7:23 AM, Arun Dheena <adheena at tilera.com> wrote:
> Hello.
>
> We are trying to measure the performance for suricata in ips-copy mode on Intel (Sandy Bridge 8 core system E5-2670 0 @ 2.60GHz).
> I have configured suricata with af-packet copy mode as mentioned in the blog here..
>
> https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
>
> Attached is the yaml file.
> We are using Ubuntu Linux 3.8.0, with Mellanox adater (irq balance enabled) and suricata version 1.4.2
>
> Would like to know from the experts :
>
> [1] What is the expected throughput range for 10K HTTP sessions, with zero rules and with all the traffic matches the HOME_NET ?
> None of the traffic are threat traffic.
> We are getting around 3Gbps.
>
> [2] Just a note, we are seeing kernel capture drops with the traffic / configuration as mentioned in [1] for all the threads.
>
> [3] Any other parameter / suggestion that could significantly change the performance for intel
>  in ips-copy mode.
>
> Thanks Much for the help
> Arun
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/


Hi,

My suggestions for starters (so we can figure out the best config for
your traffic ):

1.
  max-sessions: 200000
  prealloc-sessions: 200000

multiply the above by 100


2.
Profile and see what is your traffic mostly doing (TCP/UDP...)

3.
If (1) does not help for the drops and after seeing (2) , divide the
flow timeouts by 5ish/10ish where necessary (example):

flow-timeouts:

  default:
    new: 3
    established: 30
    closed: 0
    emergency-new: 1
    emergency-established: 10
    emergency-closed: 0
  tcp:
    new: 5
    established: 360
    closed: 10
    emergency-new: 2
    emergency-established: 30
    emergency-closed: 5
  udp:
    new: 3
    established: 30
    emergency-new: 5
    emergency-established: 10
  icmp:
    new: 10
    established: 30
    emergency-new: 5
    emergency-established: 10





Thank you



--
Regards,
Peter Manev

More information about the Oisf-devel mailing list