<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body >Hi Russell,<div><br></div><div>Do you have followed please ?:</div><div><br></div><div>https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/</div><div><br></div><div>Regards</div><div>@Rmkml</div><div><br></div><br><br><br>-------- Message d'origine --------<br>De : Russell Fulton <r.fulton@auckland.ac.nz> <br>Date : <br>A : oisf-users@openinfosecfoundation.org <br>Objet : [Oisf-users] getting started with suri -- tuning <br> <br><br>Hi<br><br>I now have suri running on my test sensor (ubuntu with suri from current security onion packages). Machine has 16 cores and 8GB of memory and is seeing order or 800Mbps traffic. Currently using Pcap while I get the pf_ring stuff sorted out.<br><br>Suri is reporting dropping 70% the packets. I have used the config file that came with SO package — suitably tweaked for our setup.<br><br>Currently running the full ETPRO rule set.<br><br>here is a stats output:<br><br>Date: 7/26/2013 -- 14:31:54 (uptime: 0d, 00h 01m 32s)<br>-------------------------------------------------------------------<br>Counter | TM Name | Value<br>-------------------------------------------------------------------<br>capture.kernel_packets | RxPcapeth21 | 23599804<br>capture.kernel_drops | RxPcapeth21 | 21082434<br>capture.kernel_ifdrops | RxPcapeth21 | 0<br>decoder.pkts | RxPcapeth21 | 2515967<br>decoder.bytes | RxPcapeth21 | 2349840746<br>decoder.ipv4 | RxPcapeth21 | 2486962<br>decoder.ipv6 | RxPcapeth21 | 65854<br>decoder.ethernet | RxPcapeth21 | 2515967<br>decoder.raw | RxPcapeth21 | 0<br>decoder.sll | RxPcapeth21 | 0<br>decoder.tcp | RxPcapeth21 | 915676<br>decoder.udp | RxPcapeth21 | 483078<br>decoder.sctp | RxPcapeth21 | 0<br>decoder.icmpv4 | RxPcapeth21 | 4666<br>decoder.icmpv6 | RxPcapeth21 | 299<br>decoder.ppp | RxPcapeth21 | 60<br>decoder.pppoe | RxPcapeth21 | 0<br>decoder.gre | RxPcapeth21 | 78<br>decoder.vlan | RxPcapeth21 | 0<br>decoder.teredo | RxPcapeth21 | 36898<br>decoder.ipv4_in_ipv6 | RxPcapeth21 | 0<br>decoder.ipv6_in_ipv6 | RxPcapeth21 | 0<br>decoder.avg_pkt_size | RxPcapeth21 | 934<br>decoder.max_pkt_size | RxPcapeth21 | 1482<br>defrag.ipv4.fragments | RxPcapeth21 | 307<br>defrag.ipv4.reassembled | RxPcapeth21 | 11<br>defrag.ipv4.timeouts | RxPcapeth21 | 0<br>defrag.ipv6.fragments | RxPcapeth21 | 279<br>defrag.ipv6.reassembled | RxPcapeth21 | 26<br>defrag.ipv6.timeouts | RxPcapeth21 | 0<br>defrag.max_frag_hits | RxPcapeth21 | 0<br>tcp.sessions | Detect | 18145<br>tcp.ssn_memcap_drop | Detect | 0<br>tcp.pseudo | Detect | 15<br>tcp.invalid_checksum | Detect | 606<br>tcp.no_flow | Detect | 0<br>tcp.reused_ssn | Detect | 0<br>tcp.memuse | Detect | 12058624<br>tcp.syn | Detect | 19130<br>tcp.synack | Detect | 16282<br>tcp.rst | Detect | 8280<br>tcp.segment_memcap_drop | Detect | 0<br>tcp.stream_depth_reached | Detect | 0<br>tcp.reassembly_memuse | Detect | 11292544<br>tcp.reassembly_gap | Detect | 26<br>detect.alert | Detect | 0<br>flow_mgr.closed_pruned | FlowManagerThread | 53074<br>flow_mgr.new_pruned | FlowManagerThread | 25531<br>flow_mgr.est_pruned | FlowManagerThread | 0<br>flow.memuse | FlowManagerThread | 30216944<br>flow.spare | FlowManagerThread | 10187<br>flow.emerg_mode_entered | FlowManagerThread | 1<br>flow.emerg_mode_over | FlowManagerThread | 1<br>-------------------------------------------------------------------<br><br>How do I figure out what is wrong?<br><br>Russell<br><br>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>OISF: http://www.openinfosecfoundation.org/<br></body>