<div dir="ltr">CPU isolation and such are like the cherry on top of the cake ;-) One has to take care of memcaps first.<div><br></div><div>It totally makes sense that you see the biggest improvement after addressing the memcap drops.</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Oct 25, 2018 at 7:52 AM Cloherty, Sean E <<a href="mailto:scloherty@mitre.org">scloherty@mitre.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_1430329438197471733WordSection1">
<p class="MsoNormal">CPU Pinning was the most impactful for our environment with similar traffic rates per box. The other was to address any stats that showed Suricata hitting any memcaps.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">On test boxes I’ve tested CPU isolation and didn’t see a significant improvement. Hyperscan was helpful, and using Google’s TCMALLOC may reduce the memory footprint
<a href="https://github.com/OISF/suricata/blob/master/doc/userguide/performance/tcmalloc.rst" target="_blank">
https://github.com/OISF/suricata/blob/master/doc/userguide/performance/tcmalloc.rst</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Oisf-users <<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@lists.openinfosecfoundation.org</a>>
<b>On Behalf Of </b>Edgmand, Craig<br>
<b>Sent:</b> Thursday, August 30, 2018 11:04 AM<br>
<b>To:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>
<b>Subject:</b> [Oisf-users] Suricata Performance Tuning<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Hello,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> I am working on a new Suricata server (Dell PowerEdge R710, 72 Gb of memory, 2 6 core procs) using a Myricom 10 card running snf v3. It needs to process between 3 and 6 Gb of traffic fed by a NetOptics agg tap.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> Currently the system is dropping about 10% of the packets and the SNF drop ring is full so that implies that Suricata is not keeping up with processing. I currently have 20 threads running and about 16 Gb of free memory.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> I have read SEPTun, SEPTun-Mark-II, the Suricata docs, the Myricom user guide, Peter Manev old blogs, etc…
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> And what I want to know is what performance tuning options have the greatest impact? Outside of buying faster processors, more memory or a different nic card.
<span style="font-family:Wingdings">J</span><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> Is it the suricata.yaml configuration options?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> Is it hyperscan?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> Sysctl settings?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> Ethtool tweaks?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> BIOS setting?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> CPU Pinning?<u></u><u></u></p>
<p class="MsoNormal"> ???<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks very much,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Craig Edgmand<u></u><u></u></p>
<p class="MsoNormal">Oklahoma State University<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>