<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I am using latest Suricata release 2.0.4. BTW, I've had 2.0.1 version running recently and I had a drastic drop in number of alerts after like 5 hours of starting Suricata. 2.0.4 fixed that.<div><br></div><div>Actually, I managed to get pf_ring number of slots way higher than suggested default.</div><div>I found out that maximum number for me was 400000. Originally during config tweaking, I've noticed that higher number of slots did improve packet loss. </div><div>Recently, I've started testing with lower number of slots (200000), same behavior as far as occasional burst of packet loss.</div><div><br></div><div>For the NICs, I've done the following:</div><div><div># ethtool -k ethx</div><div>Features for ethx:</div><div>rx-checksumming: off</div><div>tx-checksumming: off</div><div>scatter-gather: off</div><div>tcp-segmentation-offload: off</div><div>udp-fragmentation-offload: off</div><div>generic-segmentation-offload: off</div><div>generic-receive-offload: off</div><div>large-receive-offload: off</div><div>ntuple-filters: off</div><div>receive-hashing: off</div><div><br></div><div># ethtool -c ethx</div><div><div>rx-usecs: 1000</div></div><div><br></div><div><div># ethtool -g ethx</div><div>Ring parameters for ethx:</div><div>Pre-set maximums:</div><div>RX: 4078</div><div>RX Mini: 0</div><div>RX Jumbo: 0</div><div>TX: 4078</div><div>Current hardware settings:</div><div>RX: 4078</div><div>RX Mini: 0</div><div>RX Jumbo: 0</div><div>TX: 4078</div></div><div><br></div><br><div>> Date: Wed, 5 Nov 2014 00:11:29 +0100<br>> Subject: Re: [Oisf-users] Occasional burst of packet loss<br>> From: petermanev@gmail.com<br>> To: coolyasha@hotmail.com<br>> CC: cnelson@ucsd.edu; oisf-users@lists.openinfosecfoundation.org<br>> <br>> On Tue, Nov 4, 2014 at 5:38 PM, Yasha Zislin <coolyasha@hotmail.com> wrote:<br>> > How do you increase socket buffers?<br>> ><br>> > I've increased a lot of buffers already. That's why my memory utilization is<br>> > high.<br>> > I've also maxed out NIC buffers and PF_RING ring size.<br>> <br>> Could you describe how and which NIC buffers did you max out?<br>> <br>> Suggestion for pf_ring in general:<br>> In a terminal:<br>> -> modprobe pf_ring transparent_mode=0 min_num_slots=65534 enable_tx_capture=0<br>> <br>> to confirm:<br>> -> cat /proc/net/pf_ring/info<br>> <br>> In suricata.yaml<br>> ->max-pending-packets: 65534<br>> <br>> Which Suricata version are you using?<br>> <br>> ><br>> > Thanks.<br>> ><br>> >> Date: Tue, 4 Nov 2014 08:11:36 -0800<br>> >> From: cnelson@ucsd.edu<br>> >> To: coolyasha@hotmail.com; oisf-users@lists.openinfosecfoundation.org<br>> >> Subject: Re: [Oisf-users] Occasional burst of packet loss<br>> >><br>> >> -----BEGIN PGP SIGNED MESSAGE-----<br>> >> Hash: SHA1<br>> >><br>> >> Not sure if this works the same as with PF_RING, but I've found<br>> >> increasing the socket buffers can help with packet drops during DOS<br>> >> attacks when running in AF_PACKET mode. eg:<br>> >><br>> >> > buffer-size: 1048576<br>> >><br>> >> On 11/3/2014 11:35 AM, Yasha Zislin wrote:<br>> >> ><br>> >> > I guess, I am trying to figure out if there is a way to reduce packet<br>> >> > loss and improve performance while being attacked by either DDOS or<br>> >> > something else.<br>> >> ><br>> >> > Thanks.<br>> >> ><br>> >><br>> >> - --<br>> >> Cooper Nelson<br>> >> Network Security Analyst<br>> >> UCSD ACT Security Team<br>> >> cnelson@ucsd.edu x41042<br>> >> -----BEGIN PGP SIGNATURE-----<br>> >> Version: GnuPG v2.0.17 (MingW32)<br>> >><br>> >> iQEcBAEBAgAGBQJUWPq4AAoJEKIFRYQsa8FWVu0IAMr8JKausfNOpGwachndvXn7<br>> >> 5GKrmgWi/LJ2jNIWc5UVpC5a/JfxfS4WR2crzWbTpaSqjiIGwskhmfsFEg9zaUfq<br>> >> d9npoo8W6hL7EW/18f+29zajtwoCry58W1ZqLHFPBBEfOoGV0f4NQOCEi6tudf6M<br>> >> CEFIkyhEMeXhNzg++bm22TUjhEHesa1S92tStS0zniYJrRhyGTX6B/kXEzedEk/l<br>> >> Adx5yzgJrWAsSFgxTR6I1JjsOaBwQvUqsE7uYlEQb9JVOpwK0DGQitXQfUmQ+vWx<br>> >> nFMkxHAkqIgOJq4WXn1SGnUEZ9hsojZIMh+C1kUc6HUPdOCUlJKVCKQYyDoX4js=<br>> >> =9Bcm<br>> >> -----END PGP SIGNATURE-----<br>> ><br>> > _______________________________________________<br>> > Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> > Training now available: http://suricata-ids.org/training/<br>> <br>> <br>> <br>> -- <br>> Regards,<br>> Peter Manev<br></div></div> </div></body>
</html>