<br><br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 8:48 AM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Enabling hyper threading is also recommended. It's not magic, but it<br>will gain you some.<br><br>Btw, can you share a record of the stats.log after Suricata has been<br>
running for some time?<br><br>Cheers,<br>Victor<br>
<div class="HOEnZb">
<div class="h5"><br>On 02/23/2012 03:16 AM, Martin Holste wrote:<br>> The biggest performance boost you can get is to run with the pattern<br>> matcher as "ac" and all of the settings on "high" in the tuning. This<br>
> will use a lot of RAM--you may not have enough to run all of the rules<br>> you want. I highly suggest adding as much RAM as possible, running ac<br>> with autofp, and use PF_RING with or without the proper Broadcom<br>
> driver.<br>><br>> In the stats file, look at the tcp.segment_memcap_drop and<br>> tcp.ssn_memcap_drop. If you see drops there, you need to up the<br>> buffers even more for memcap, etc.<br>><br>> Regarding comparison to another IDS: Suricata may be doing a lot more<br>
> work than the other setup. Remember that it is actually<br>> deconstructing every HTTP session before it even gets to the pattern<br>> matching. This is powerful stuff, and it costs CPU time. Also, keep<br>> in mind the number of rules being run when making comparisons.<br>
><br>> One good baseline for a sanity check is to disable all of the rules<br>> and run Suricata for a bit. Make sure that it isn't dropping packets<br>> just doing stream reassembly and HTTP analysis. Once you've verified<br>
> it's not dropping there, then you know that tweaking the number of<br>> rules and/or the pattern matching settings will provide a benefit.<br>> That server should definitely be able to handle 400 Mb/sec, one way or<br>
> another.<br>><br>> On Wed, Feb 22, 2012 at 6:15 PM, mc8647 <<a href="mailto:mc8647@mclink.it">mc8647@mclink.it</a>> wrote:<br>>> Thanks for reply.<br>>><br>>> The server is a HP DL360G7, it has 4 onboard lan ports...<br>
>><br>>> We are testing a proprietary IDS with another mirror port on a twin<br>>> server (they are identically configured hardware).<br>>><br>>> This proprietary IDS runs inside a esx4 VM with 8 cpu and it has no<br>
>> missing packets!<br>>><br>>> So with less CPUs, less ram, and with esx overhead it is able to not<br>>> lose packets. I think it is linux based with highly personlized setup,<br>>> for example it supports just 3 hardware servers and esx VMs.<br>
>><br>>><br>>> "If I stop suricata with ctrl-c I get a message stating about 25%<br>>> packets missed." should have been<br>>><br>>> If I stop suricata with ctrl-c I get a message stating that from 3 to about 25% packets were missed depending on the run.<br>
>><br>>> Francesco<br>>><br>>> _______________________________________________<br>>> Oisf-users mailing list<br>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>> _______________________________________________<br>
> Oisf-users mailing list<br>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br><br><br></div></div><span class="HOEnZb"><font color="#888888">--<br>---------------------------------------------<br>Victor Julien<br><a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>---------------------------------------------<br></font></span>
<div class="HOEnZb">
<div class="h5"><br>_______________________________________________<br>Oisf-users mailing list<br><a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div>
<div><br><br clear="all">I agree with Martin - up the buffers.</div>
<div>BTW - if you load Suricata 1.2.1 (on an empty interface, no traffic) - how much mem is taken for 4K rules?</div>
<div> </div>
<div> </div>
<div>thanks<br>-- <br></div>
<div>Regards,</div>
<div>Peter Manev</div><br>