[Discussion] Suricata Performance Tuning (kernel_drops very high)
Victor Julien
lists at inliniac.net
Tue Jan 13 12:02:03 UTC 2015
Moving to oisf-users, we're planning to retire 'discussion' as it has no
value over 'oisf-users' and is much less active.
Cheers,
Victor
On 01/12/2015 05:22 PM, Barkley, Joey wrote:
> All,
>
> I am running Suricata and have done my best to configure it properly but I’m failing. We are getting lots of traffic logged, but I am seeing loads of kernel_drops. Can someone please tell me how I might tweak performance to reduce loss? I’m very new to Suricata and fairly new to IDS setup in general. Here is our current setup:
>
> 32 Core System
> 256GB RAM
> 1Gbps Management Interface
> 2x10Gbps Monitoring Interface (but currently only 1 is in use)
>
> right now we are using around 82GB RAM. 38% CPU usage. Status entries pasted at the end of the message.
>
> Here is some of my suricata.yaml config. If I should provide additional sections just let me know.
> # Output file configuration
> outputs:
> - eve-log:
> enabled: yes
> filetype: regular
> filename: edge-int-lv.evejson
> types:
> - alert:
> payload: yes
> packet: yes
> http: yes
> - http:
> extended: yes
> - dns
> - tls:
> extended: yes
> - files:
> force-magic: yes
> force-md5: yes
> - ssh
> - flow
> - netflow
> - stats:
> enabled: yes
> filename: stats-edge-int-lv.log
> interval: 8
> - fast: # a line based alerts log similar to Snort's fast.log
> enabled: yes
> filename: fast-edge-int-lv.log
> append: yes
> filetype: regular # 'regular', 'unix_stream' or ‘unix_dgram'
>
> threading:
> set-cpu-affinity: yes
> cpu-affinity:
> - management-cpu-set:
> cpu: [ "all" ] # include only these cpus in affinity settings
> mode: "balanced"
> prio:
> default: "low"
> - receive-cpu-set:
> cpu: [ "all" ] # include only these cpus in affinity settings
> - detect-cpu-set:
> cpu: [ "all" ]
> mode: "exclusive" # run detect threads in these cpus
> prio:
> default: "high"
> detect-thread-ratio: 1.5
>
> max-pending-packets: 2048
>
> runmode: autofp
>
> host-mode: sniffer-only
>
> af-packet:
> - interface: p4p1
> threads: 16
> cluster-id: 99
> cluster-type: cluster_cpu
> defrag: yes
> use-mmap: yes
> ring-size: 200000
> - interface: p4p2
> threads: 16
> cluster-id: 98
> cluster-type: cluster_cpu
> defrag: yes
> buffer-size: 200000
> - interface: default
>
> legacy:
> uricontent: enabled
>
> detect-engine:
> - profile: high
> - custom-values:
> toclient-src-groups: 2
> toclient-dst-groups: 2
> toclient-sp-groups: 2
> toclient-dp-groups: 3
> toserver-src-groups: 2
> toserver-dst-groups: 4
> toserver-sp-groups: 2
> toserver-dp-groups: 25
> - sgh-mpm-context: auto
> - inspection-recursion-limit: 3000
> - rule-reload: true
>
> mpm-algo: ac
>
> # Defrag settings:
> defrag:
> memcap: 512mb
> # hash-size: 65536
> trackers: 65535 # number of defragmented flows to follow
> max-frags: 65535 # number of fragments to keep (higher than trackers)
> # prealloc: yes
> # timeout: 60
>
> flow:
> memcap: 1gb
> hash-size: 1048576
> prealloc: 1048576
> emergency-recovery: 30
> prune-flows: 50000
> managers: 2 # default is 1
> #recyclers: 1 # default to one flow recycler thread
>
> vlan:
> use-for-tracking: true
>
> flow-timeouts:
>
> default:
> new: 5
> established: 30
> closed: 0
> emergency-new: 1
> emergency-established: 2 #100
> emergency-closed: 0
> tcp:
> new: 5
> established: 60
> closed: 1
> #closed: 120
> emergency-new: 1
> emergency-established: 5
> emergency-closed: 0
> udp:
> new: 5
> established: 60
> emergency-new: 5
> emergency-established: 5
> icmp:
> new: 5
> established: 60
> emergency-new: 5
> emergency-established: 5
>
> stream:
> memcap: 12gb
> checksum-validation: no # reject wrong csums
> midstream: false
> inline: no # auto will use inline mode in IPS mode, yes or no set it statically
> prealloc-sessions: 100000
> reassembly:
> memcap: 14gb
> depth: 12mb # reassemble 1mb into a stream
> toserver-chunk-size: 2560
> toclient-chunk-size: 2560
> randomize-chunk-size: yes
>
> host:
> hash-size: 4096
> prealloc: 1000
> memcap: 16777216
>
> asn1-max-frames: 256
>
> engine-analysis:
> rules-fast-pattern: yes
> rules: yes
>
> pcre:
> match-limit: 3500
> match-limit-recursion: 1500
>
> app-layer:
> protocols:
> tls:
> enabled: yes
> detection-ports:
> dp: 443
> dcerpc:
> enabled: yes
> ftp:
> enabled: yes
> ssh:
> enabled: yes
> smtp:
> enabled: yes
> mime:
> decode-mime: yes
> decode-base64: yes
> decode-quoted-printable: yes
> header-value-depth: 2000
> extract-urls: yes
> imap:
> enabled: detection-only
> msn:
> enabled: detection-only
> smb:
> enabled: yes
> detection-ports:
> dp: 139
> dns:
> tcp:
> enabled: yes
> detection-ports:
> dp: 53
> udp:
> enabled: yes
> detection-ports:
> dp: 53
> http:
> enabled: yes
> # memcap: 64mb
> libhtp:
>
> default-config:
> personality: IDS
> request-body-limit: 12mb
> response-body-limit: 12mb
> request-body-minimal-inspect-size: 32kb
> request-body-inspect-window: 4kb
> response-body-minimal-inspect-size: 32kb
> response-body-inspect-window: 4kb
> double-decode-path: no
> double-decode-query: no
> server-config:
> profiling:
> rules:
> enabled: yes
> filename: rule_perf.log
> append: yes
> sort: avgticks
> limit: 100
> keywords:
> enabled: yes
> filename: keyword_perf.log
> append: yes
> packets:
> enabled: yes
> filename: packet_stats.log
> append: yes
> csv:
> enabled: no
> filename: packet_stats.csv
> locks:
> enabled: no
> filename: lock_stats.log
> append: yes
> pcap-log:
> enabled: no
> filename: pcaplog_stats.log
> append: yes
>
> coredump:
> max-dump: unlimited
>
> napatech:
> hba: -1
> use-all-streams: yes
> streams: [1, 2, 3]
>
>
>
> -------------------------------------------------------------------
> Counter | TM Name | Value
> -------------------------------------------------------------------
> capture.kernel_packets | RxPcapp4p11 | 3408330077
> capture.kernel_drops | RxPcapp4p11 | 3532275578
> capture.kernel_ifdrops | RxPcapp4p11 | 0
> dns.memuse | RxPcapp4p11 | 3681302
> dns.memcap_state | RxPcapp4p11 | 23601
> dns.memcap_global | RxPcapp4p11 | 0
> decoder.pkts | RxPcapp4p11 | 25645856945
> decoder.bytes | RxPcapp4p11 | 17615424414799
> decoder.invalid | RxPcapp4p11 | 3
> decoder.ipv4 | RxPcapp4p11 | 25645892638
> decoder.ipv6 | RxPcapp4p11 | 38560
> decoder.ethernet | RxPcapp4p11 | 25645856945
> decoder.raw | RxPcapp4p11 | 0
> decoder.sll | RxPcapp4p11 | 0
> decoder.tcp | RxPcapp4p11 | 24557853433
> decoder.udp | RxPcapp4p11 | 1039077879
> decoder.sctp | RxPcapp4p11 | 0
> decoder.icmpv4 | RxPcapp4p11 | 37915322
> decoder.icmpv6 | RxPcapp4p11 | 841
> decoder.ppp | RxPcapp4p11 | 0
> decoder.pppoe | RxPcapp4p11 | 0
> decoder.gre | RxPcapp4p11 | 0
> decoder.vlan | RxPcapp4p11 | 0
> decoder.vlan_qinq | RxPcapp4p11 | 0
> decoder.teredo | RxPcapp4p11 | 37722
> decoder.ipv4_in_ipv6 | RxPcapp4p11 | 0
> decoder.ipv6_in_ipv6 | RxPcapp4p11 | 0
> decoder.mpls | RxPcapp4p11 | 0
> decoder.avg_pkt_size | RxPcapp4p11 | 686
> decoder.max_pkt_size | RxPcapp4p11 | 1514
> defrag.ipv4.fragments | RxPcapp4p11 | 10923631
> defrag.ipv4.reassembled | RxPcapp4p11 | 244568
> defrag.ipv4.timeouts | RxPcapp4p11 | 0
> defrag.ipv6.fragments | RxPcapp4p11 | 0
> defrag.ipv6.reassembled | RxPcapp4p11 | 0
> defrag.ipv6.timeouts | RxPcapp4p11 | 0
> defrag.max_frag_hits | RxPcapp4p11 | 0
> tcp.sessions | Detect | 73940345
> tcp.ssn_memcap_drop | Detect | 0
> tcp.pseudo | Detect | 4049413
> tcp.pseudo_failed | Detect | 0
> tcp.invalid_checksum | Detect | 0
> tcp.no_flow | Detect | 0
> tcp.reused_ssn | Detect | 535819
> tcp.memuse | Detect | 25347440
> tcp.syn | Detect | 83940125
> tcp.synack | Detect | 36430536
> tcp.rst | Detect | 29374857
> dns.memuse | Detect | 126739227
> dns.memcap_state | Detect | 866726
> dns.memcap_global | Detect | 0
> tcp.segment_memcap_drop | Detect | 0
> tcp.stream_depth_reached | Detect | 681
> tcp.reassembly_memuse | Detect | 3642377358
> tcp.reassembly_gap | Detect | 5647652
> http.memuse | Detect | 139211431
> http.memcap | Detect | 0
> detect.alert | Detect | 1997146
> flow_mgr.closed_pruned | FlowManagerThread | 174130092
> flow_mgr.new_pruned | FlowManagerThread | 64943568
> flow_mgr.est_pruned | FlowManagerThread | 59376251
> flow.memuse | FlowManagerThread | 2147483568
> flow.spare | FlowManagerThread | 2077070
> flow.emerg_mode_entered | FlowManagerThread | 0
> flow.emerg_mode_over | FlowManagerThread | 0
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Discussion
mailing list