<div dir="ltr"><div><div style="font-family:arial,sans-serif;font-size:14px">It is really a great surprise for me to hear from you, first of all, thank you very much!<br></div><div style="font-family:arial,sans-serif;font-size:14px">
<br></div><div style="font-family:arial,sans-serif;font-size:14px">i have changed cluster_cpu to cluster_flow as you command, and it works. however, it seems that only add threads does not help much in my system.  After 1 hour's test, i still get about 50% drops .</div>
<div style="font-family:arial,sans-serif;font-size:14px">The basic configuration is followed by your a series of 4 articles about Suricata IDPS(<a href="http://pevma.blogspot.se/2013/12/suricata-and-grand-slam-of-open-source.html" target="_blank">http://pevma.blogspot.se/2013/12/suricata-and-grand-slam-of-open-source.html</a>) and followed the case 4 in (<a href="http://pevma.blogspot.se/2014/05/playing-with-memory-consumption.html" target="_blank">http://pevma.blogspot.se/2014/05/playing-with-memory-consumption.html</a>).</div>
<div style="font-family:arial,sans-serif;font-size:14px"><br></div><div style="font-family:arial,sans-serif;font-size:14px">These are the basic imformation about my system:</div><div style="font-family:arial,sans-serif;font-size:14px">
Suricata version 2.0.1 with AF_PACKET, 22 threads</div><div style="font-family:arial,sans-serif;font-size:14px">CPU: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz</div><div style="font-family:arial,sans-serif;font-size:14px">Kenel: Linux version 3.11.0-15-generic </div>
<div style="font-family:arial,sans-serif;font-size:14px">OS: Ubuntu 12.04.4</div><div style="font-family:arial,sans-serif;font-size:14px">RAM: 125G</div><div style="font-family:arial,sans-serif;font-size:14px">72 rules loaded for test.</div>
<div style="font-family:arial,sans-serif;font-size:14px">Traffic size: 2-4Gps</div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:14px"><br></div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:14px">
If it doesn't bother you too much, i have uploaded my configuration file in the attachment for you to check, i am eager to receive more suggestion from you.</div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:14px">
<br></div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:14px">Thanks again.</div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:14px">Best wishes.</div></div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><div>
></div><div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">></span></div><div>></div>></span><div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">> 2014-06-05 15:27 GMT+08:00 Peter Manev <</span><a href="mailto:petermanev@gmail.com" style="font-family:arial,sans-serif;font-size:14px">petermanev@gmail.com</a><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>:</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> The Reason the extra threads are not used is because you hvae set up</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> the NIC affinity and it has only 16 irq-affinity threads.</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> You can change the af-packet section form cluster_cpu to cluster_flow</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> and they will be used, though i am not sure how it will affect</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> performance in your case.</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> The fact that you set up the yaml config just as it is on the blog</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> does not guarantee you 0% drops.</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> It depends on how much traffic do you inspect, how many rules do you</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> load, what type oof traffic it is, ...</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> Which blogpost did you follow in particular?</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> What is the OS/kernel you are using?</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> What amount of traffic do you inspect?</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> How many rules do you load?</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> thanks</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> On Thu, Jun 5, 2014 at 6:21 AM, Blogger Contact Form</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> <</span><a href="mailto:no-reply@blogger.com" style="font-family:arial,sans-serif;font-size:14px">no-reply@blogger.com</a><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">> wrote:</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > i've configured the suricata.yaml as you suggested above, but i still</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > get</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > about 60% drops. do u have any other suggestions?</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > i  intend to add the threads to improve the performance, so i only</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > change</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > the 'threads' in 'af-packet' to 22(the default is 16), but when i check</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > in</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > stats.log, the 17-22 packet is not used. do i missed to change any other</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > parameter to change?</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > thanx :)</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> ></span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px"><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > Regards,</span><br style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">
<span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:14px">>> > Tomato- | </span><a href="mailto:xqing.summer@gmail.com" style="font-family:arial,sans-serif;font-size:14px">xqing.summer@gmail.com</a><br>
</div></div>