[Discussion] Suricata Performance Tuning (kernel_drops very high)
Barkley, Joey
Joey.Barkley at ingramcontent.com
Mon Jan 12 16:22:20 UTC 2015
All,
I am running Suricata and have done my best to configure it properly but I’m failing. We are getting lots of traffic logged, but I am seeing loads of kernel_drops. Can someone please tell me how I might tweak performance to reduce loss? I’m very new to Suricata and fairly new to IDS setup in general. Here is our current setup:
32 Core System
256GB RAM
1Gbps Management Interface
2x10Gbps Monitoring Interface (but currently only 1 is in use)
right now we are using around 82GB RAM. 38% CPU usage. Status entries pasted at the end of the message.
Here is some of my suricata.yaml config. If I should provide additional sections just let me know.
# Output file configuration
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: edge-int-lv.evejson
types:
- alert:
payload: yes
packet: yes
http: yes
- http:
extended: yes
- dns
- tls:
extended: yes
- files:
force-magic: yes
force-md5: yes
- ssh
- flow
- netflow
- stats:
enabled: yes
filename: stats-edge-int-lv.log
interval: 8
- fast: # a line based alerts log similar to Snort's fast.log
enabled: yes
filename: fast-edge-int-lv.log
append: yes
filetype: regular # 'regular', 'unix_stream' or ‘unix_dgram'
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [ "all" ] # include only these cpus in affinity settings
mode: "balanced"
prio:
default: "low"
- receive-cpu-set:
cpu: [ "all" ] # include only these cpus in affinity settings
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
prio:
default: "high"
detect-thread-ratio: 1.5
max-pending-packets: 2048
runmode: autofp
host-mode: sniffer-only
af-packet:
- interface: p4p1
threads: 16
cluster-id: 99
cluster-type: cluster_cpu
defrag: yes
use-mmap: yes
ring-size: 200000
- interface: p4p2
threads: 16
cluster-id: 98
cluster-type: cluster_cpu
defrag: yes
buffer-size: 200000
- interface: default
legacy:
uricontent: enabled
detect-engine:
- profile: high
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
- rule-reload: true
mpm-algo: ac
# Defrag settings:
defrag:
memcap: 512mb
# hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
# prealloc: yes
# timeout: 60
flow:
memcap: 1gb
hash-size: 1048576
prealloc: 1048576
emergency-recovery: 30
prune-flows: 50000
managers: 2 # default is 1
#recyclers: 1 # default to one flow recycler thread
vlan:
use-for-tracking: true
flow-timeouts:
default:
new: 5
established: 30
closed: 0
emergency-new: 1
emergency-established: 2 #100
emergency-closed: 0
tcp:
new: 5
established: 60
closed: 1
#closed: 120
emergency-new: 1
emergency-established: 5
emergency-closed: 0
udp:
new: 5
established: 60
emergency-new: 5
emergency-established: 5
icmp:
new: 5
established: 60
emergency-new: 5
emergency-established: 5
stream:
memcap: 12gb
checksum-validation: no # reject wrong csums
midstream: false
inline: no # auto will use inline mode in IPS mode, yes or no set it statically
prealloc-sessions: 100000
reassembly:
memcap: 14gb
depth: 12mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
asn1-max-frames: 256
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
dcerpc:
enabled: yes
ftp:
enabled: yes
ssh:
enabled: yes
smtp:
enabled: yes
mime:
decode-mime: yes
decode-base64: yes
decode-quoted-printable: yes
header-value-depth: 2000
extract-urls: yes
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
# memcap: 64mb
libhtp:
default-config:
personality: IDS
request-body-limit: 12mb
response-body-limit: 12mb
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
double-decode-path: no
double-decode-query: no
server-config:
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: avgticks
limit: 100
keywords:
enabled: yes
filename: keyword_perf.log
append: yes
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes
coredump:
max-dump: unlimited
napatech:
hba: -1
use-all-streams: yes
streams: [1, 2, 3]
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPcapp4p11 | 3408330077
capture.kernel_drops | RxPcapp4p11 | 3532275578
capture.kernel_ifdrops | RxPcapp4p11 | 0
dns.memuse | RxPcapp4p11 | 3681302
dns.memcap_state | RxPcapp4p11 | 23601
dns.memcap_global | RxPcapp4p11 | 0
decoder.pkts | RxPcapp4p11 | 25645856945
decoder.bytes | RxPcapp4p11 | 17615424414799
decoder.invalid | RxPcapp4p11 | 3
decoder.ipv4 | RxPcapp4p11 | 25645892638
decoder.ipv6 | RxPcapp4p11 | 38560
decoder.ethernet | RxPcapp4p11 | 25645856945
decoder.raw | RxPcapp4p11 | 0
decoder.sll | RxPcapp4p11 | 0
decoder.tcp | RxPcapp4p11 | 24557853433
decoder.udp | RxPcapp4p11 | 1039077879
decoder.sctp | RxPcapp4p11 | 0
decoder.icmpv4 | RxPcapp4p11 | 37915322
decoder.icmpv6 | RxPcapp4p11 | 841
decoder.ppp | RxPcapp4p11 | 0
decoder.pppoe | RxPcapp4p11 | 0
decoder.gre | RxPcapp4p11 | 0
decoder.vlan | RxPcapp4p11 | 0
decoder.vlan_qinq | RxPcapp4p11 | 0
decoder.teredo | RxPcapp4p11 | 37722
decoder.ipv4_in_ipv6 | RxPcapp4p11 | 0
decoder.ipv6_in_ipv6 | RxPcapp4p11 | 0
decoder.mpls | RxPcapp4p11 | 0
decoder.avg_pkt_size | RxPcapp4p11 | 686
decoder.max_pkt_size | RxPcapp4p11 | 1514
defrag.ipv4.fragments | RxPcapp4p11 | 10923631
defrag.ipv4.reassembled | RxPcapp4p11 | 244568
defrag.ipv4.timeouts | RxPcapp4p11 | 0
defrag.ipv6.fragments | RxPcapp4p11 | 0
defrag.ipv6.reassembled | RxPcapp4p11 | 0
defrag.ipv6.timeouts | RxPcapp4p11 | 0
defrag.max_frag_hits | RxPcapp4p11 | 0
tcp.sessions | Detect | 73940345
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 4049413
tcp.pseudo_failed | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 535819
tcp.memuse | Detect | 25347440
tcp.syn | Detect | 83940125
tcp.synack | Detect | 36430536
tcp.rst | Detect | 29374857
dns.memuse | Detect | 126739227
dns.memcap_state | Detect | 866726
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 681
tcp.reassembly_memuse | Detect | 3642377358
tcp.reassembly_gap | Detect | 5647652
http.memuse | Detect | 139211431
http.memcap | Detect | 0
detect.alert | Detect | 1997146
flow_mgr.closed_pruned | FlowManagerThread | 174130092
flow_mgr.new_pruned | FlowManagerThread | 64943568
flow_mgr.est_pruned | FlowManagerThread | 59376251
flow.memuse | FlowManagerThread | 2147483568
flow.spare | FlowManagerThread | 2077070
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
More information about the Discussion
mailing list