<div dir="ltr"><div class="gmail_quote">This thread is two weeks old but I wanted to get back to the group on where I landed with hyperscan and setting up my platform with more RAM.<br><br></div><div class="gmail_quote">First off I've got a 25 megabit metro E internet connection at work. Again, my hardware platform was a mainboard with 4 physical 64bit atom based cores running 2.41 ghz and 32 gb of RAM.<br></div><div class="gmail_quote">After compiling hyperscan on ubuntu 14.04 and running suricata in IPS mode across a bridge scanning a dot1q trunk link like so:<br>suricata -q 0 -q 1 -q 2 -q 3 -D --set mpm-algo=hs -c /etc/suricata/suricata.yaml<br></div><div class="gmail_quote"><br>I was able to easily get 25 megabits of download speed (the maximum the link offered) and 12 megabit upstream speed. I'm not sure why I was limited on the upstream side. I could have been somewhat of a duplexing issue buried somewhere in my test rig. My cpu usage barely went up at all while viewing HTOP. I had set my .yaml to look like:<br><br>app-layer:<br> protocols:<br> tls:<br> enabled: yes<br> detection-ports:<br> dp: 443<br> dcerpc:<br> enabled: yes<br> ftp:<br> enabled: yes<br> ssh:<br> enabled: yes<br> smtp:<br> enabled: yes<br> imap:<br> enabled: detection-only<br> msn:<br> enabled: detection-only<br> smb:<br> enabled: yes<br> detection-ports:<br> dp: 139<br> dns:<br> tcp:<br> enabled: yes<br> detection-ports:<br> dp: 53<br> udp:<br> enabled: yes<br> detection-ports:<br> dp: 53<br> http:<br> enabled: yes<br><br><br>nfq:<br> mode: repeat<br> repeat-mark: 1<br> repeat-mask: 1<br>threading:<br> detect-thread-ratio: 1.5<br><br>defrag:<br> memcap: 1024mb<br> max-frags: 65535<br> hash-size: 65536<br> trackers: 65535<br> prealloc: yes<br> timeout: 30<br>flow:<br> memcap: 2048mb<br> hash-size: 1048576<br> Prealloc: 1048576<br>flow-timeouts:<br> default:<br> new: 30<br> established: 300<br> emergency-new: 10<br> emergency-established: 100<br> tcp:<br> new: 60<br> established: 3600<br> closed: 120<br> emergency-new: 10<br> emergency-established: 300<br> emergency-closed: 20<br> udp:<br> new: 30<br> established: 300<br> emergency-new: 10<br> emergency-established: 100<br> icmp:<br> new: 30<br> established: 300<br> emergency-new: 10<br> emergency-established: 100<br>stream:<br> memcap: 8gb<br> checksum-validation: no<br> prealloc-sessions: 500000<br> midstream: true<br> async-oneside: true<br> inline: yes<br> reassembly:<br> memcap: 10gb<br> depth: 64mb<br> toserver-chunk-size: 5120<br> toclient-chunk-size: 5120<br><br></div><div class="gmail_quote">It worked really well albeit I am thinking that some of these values are a bit outlandish for such a small install. Thanks to (<a href="http://pevma.blogspot.se">pevma.blogspot.se</a>) for some general guidance on setting values up. I really appreciated that level of detail and sharing of information. Thanks for contributing that to the suricata community! Thanks to Coop for suggesting hyperscan. It was a bear to build it out because the instructions on "redmine" can get you led astray if you're not careful. If anyone has trouble manually building hyperscan on ubuntu server 14.04, message me separately. I can provide build install instructions that are step by step no brainer...<br><br></div><div class="gmail_quote">Chris Boley<br></div><div class="gmail_quote"><br><br></div><div class="gmail_quote"><br>On Apr 11, 2016 11:41 AM, "Cooper F. Nelson" <<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Couple things to try.<br>
<br>
1. Test out the Hyperscan build. It should work well on the Atom, as<br>
SSE instructions are supported.<br>
<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan</a><br>
<br>
<br>
<br>
-Coop<br>
<br>
On 4/10/2016 8:35 AM, Chris Boley wrote:<br>
> My objective is to ignore intra site traffic completely while scanning all<br>
> traffic between the wan<br>
> and the local LAN. I'm using a somewhat underpowered server out of<br>
> necessity.<br>
<br>
<br>
--<br>
<br>
</blockquote></div>
</div>