<!DOCTYPE html>
<html><head>
<meta charset="UTF-8">
</head><body><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">Hello Tanaka</p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">The configuration you have described is something we use all the time. It seems to work fine for us...even with most of the rules loaded.</p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">The main reason for bridging is the flexibility it offers....we bridge 6 interfaces together and any one of the can be in or out. Have to say we are still on a previous version.</p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">I notice that you are loading 1 rule specifying the HOME_NET variable, have you tried running with no rules loaded at all? Just to see if the base configuration is all ok? </p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">Have you configured the HOME_NET variable?</p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">Is there a specific reason for using 'reject' as opposed to 'drop'?</p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">If all of that is good, then it may be something to do with V4.</p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">Just some thoughts.</p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);"><br>Amar Rathore </p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);"><a href="mailto:amar@countersnipe.com">amar@countersnipe.com</a></p><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">Delivering Suricata based Network Security.</p><blockquote type="cite">On June 28, 2018 at 3:34 AM tanaka yusuke <net1234@hotmail.co.jp> wrote: <br> <br><div id="ox-77fe71ee48-divtagdefaultwrapper" style="font-size: 12pt; color: #000000; font-family: Meiryo,'メイリオ','Hiragino Sans',sans-serif;" dir="ltr"><p style="margin-top: 0; margin-bottom: 0;"> <br></p><div>Hi. <br> <br> I am trying to build an IPS box at work using suricata, but my suricata box is showing very poor performance for some reason. <br> <br> Measured performance with wrk (https://github.com/wg/wrk) in isolated testing environment like this: <br> <br> client ---> suricata box ---> server <br> <br> With default suricata.yaml, the box throughput drops below 10% of a dumb bridge configuration. <br> I tried to tweak some of suricata.yaml settings and found improvement somehow but still way too low. <br> I would appreciate if you have any other suggestions for performance improvement. <br> Thanks in advance. <br> <br> Suricata box: <br> OS: CentOS 7.5 (simple install) <br> suricata: version 4.0.4 (suricata-4.0.4-1.el7.x86_64) <br> CPU: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz (4Core/4Thread) <br> <br> Suricata launch procedure: <br> #> systemctl stop firewalld <br> #> iptables -A FORWARD -J NFQUEUE --queue-num 0 <br> #> suricata -c /etc/suricata.yaml -S /etc/suricata/sample.rules -q 0 -vv <br> <br> Rules activated (/etc/suricata/sample.rules) <br> reject ip $HOME_NET any -> 192.168.10.142 any (msg:"test rules"; gid:10000; sid:10000; rev:1;) <br> <br> Testing patterns: <br> 1. suricata off (dumb bridge mode) <br> 2. suricata on (default suricata.yaml) <br> 3. suricata on (log suppressed) <br> 4. suricata on (log suppressed + cpu-affinity set) <br> <br> Results: <br> [client]# ./wrk -t10 -c1000 -d30s http://192.168.100.101/ <br> Running 30s test @ http://192.168.100.101/ <br> 10 threads and 1000 connections <br> <br> 1. 3296109 requests in 30.09s, 3.20GB read <br> Requests/sec: 109536.50 <br> Transfer/sec: 108.85MB <br> <br> 2. 229685 requests in 30.10s, 228.24MB read <br> Requests/sec: 7630.75 <br> Transfer/sec: 7.58MB <br> <br> 3. 341039 requests in 30.04s, 338.90MB read <br> Requests/sec: 11354.15 <br> Transfer/sec: 11.28MB <br> <br> 4. 417160 requests in 30.03s, 414.54MB read <br> Requests/sec: 13892.03 <br> Transfer/sec: 13.80MB <br> <br> Modifications to suricata.yaml: <br> <br> 3. suppressed log output <br> ----------------------------------------- <br> stats: <br> enabled: no <br> outputs: <br> - eve-log: <br> enabled: no <br> ----------------------------------------- <br> <br> 4. cpu-affinity setting added <br> ----------------------------------------- <br> threading: <br> set-cpu-affinity: yes <br> cpu-affinity: <br> - management-cpu-set: <br> cpu: [ "all" ] <br> prio: <br> default: "low" <br> - receive-cpu-set: <br> cpu: [ "all" ] <br> prio: <br> default: "low" <br> - worker-cpu-set: <br> cpu: [ 1,2,3 ] <br> mode: "exclusive" <br> threads: 3 <br> prio: <br> default: "medium" <br> - verdict-cpu-set: <br> cpu: [ 0 ] <br> prio: <br> default: "high" <br> ----------------------------------------- <br> <br></div><br><p> <br></p></div></blockquote><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: #000080;" class="default-style"><br> </p><blockquote type="cite">_______________________________________________ <br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org <br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ <br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <br> <br>Conference: https://suricon.net <br>Trainings: https://suricata-ids.org/training/</blockquote><p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: #000080;" class="default-style"><br> </p></body></html>