[Discussion] Suricata Performance Tuning (kernel_drops very high)

Victor Julien lists at inliniac.net
Tue Jan 13 12:02:03 UTC 2015


Moving to oisf-users, we're planning to retire 'discussion' as it has no
value over 'oisf-users' and is much less active.

Cheers,
Victor

On 01/12/2015 05:22 PM, Barkley, Joey wrote:
> All,
> 
> I am running Suricata and have done my best to configure it properly but I’m failing. We are getting lots of traffic logged, but I am seeing loads of kernel_drops. Can someone please tell me how I might tweak performance to reduce loss? I’m very new to Suricata and fairly new to IDS setup in general. Here is our current setup:
> 
> 32 Core System
> 256GB RAM
> 1Gbps Management Interface
> 2x10Gbps Monitoring Interface (but currently only 1 is in use)
> 
> right now we are using around 82GB RAM. 38% CPU usage. Status entries pasted at the end of the message.
> 
> Here is some of my suricata.yaml config. If I should provide additional sections just let me know.
> # Output file configuration
> outputs:
>   - eve-log:
>       enabled: yes
>       filetype: regular
>       filename: edge-int-lv.evejson
>       types:
>         - alert:
>             payload: yes
>             packet: yes
>             http: yes
>         - http:
>             extended: yes
>         - dns
>         - tls:
>             extended: yes
>         - files:
>             force-magic: yes
>             force-md5: yes
>         - ssh
>         - flow
>         - netflow
>   - stats:
>       enabled: yes
>       filename: stats-edge-int-lv.log
>       interval: 8
>   - fast: # a line based alerts log similar to Snort's fast.log
>       enabled: yes
>       filename: fast-edge-int-lv.log
>       append: yes
>       filetype: regular # 'regular', 'unix_stream' or ‘unix_dgram'
> 
> threading:
>   set-cpu-affinity: yes
>   cpu-affinity:
>     - management-cpu-set:
>         cpu: [ "all" ]  # include only these cpus in affinity settings
>         mode: "balanced"
>         prio:
>           default: "low"
>     - receive-cpu-set:
>         cpu: [ "all" ]  # include only these cpus in affinity settings
>     - detect-cpu-set:
>         cpu: [ "all" ]
>         mode: "exclusive" # run detect threads in these cpus
>         prio:
>           default: "high"
>   detect-thread-ratio: 1.5
> 
> max-pending-packets: 2048
> 
> runmode: autofp
> 
> host-mode: sniffer-only
> 
> af-packet:
>   - interface: p4p1
>     threads: 16
>     cluster-id: 99
>     cluster-type: cluster_cpu
>     defrag: yes
>     use-mmap: yes
>     ring-size: 200000
>   - interface: p4p2
>     threads: 16
>     cluster-id: 98
>     cluster-type: cluster_cpu
>     defrag: yes
>     buffer-size: 200000
>   - interface: default
> 
> legacy:
>   uricontent: enabled
> 
> detect-engine:
>   - profile: high
>   - custom-values:
>       toclient-src-groups: 2
>       toclient-dst-groups: 2
>       toclient-sp-groups: 2
>       toclient-dp-groups: 3
>       toserver-src-groups: 2
>       toserver-dst-groups: 4
>       toserver-sp-groups: 2
>       toserver-dp-groups: 25
>   - sgh-mpm-context: auto
>   - inspection-recursion-limit: 3000
>   - rule-reload: true
> 
> mpm-algo: ac
> 
> # Defrag settings:
> defrag:
>   memcap: 512mb
> #  hash-size: 65536
>   trackers: 65535 # number of defragmented flows to follow
>   max-frags: 65535 # number of fragments to keep (higher than trackers)
> #  prealloc: yes
> #  timeout: 60
> 
> flow:
>   memcap: 1gb
>   hash-size: 1048576
>   prealloc: 1048576
>   emergency-recovery: 30
>   prune-flows: 50000
>   managers: 2 # default is 1
>   #recyclers: 1 # default to one flow recycler thread
> 
> vlan:
>   use-for-tracking: true
> 
> flow-timeouts:
> 
>   default:
>     new: 5
>     established: 30
>     closed: 0
>     emergency-new: 1
>     emergency-established: 2 #100
>     emergency-closed: 0
>   tcp:
>     new: 5
>     established: 60
>     closed: 1
>     #closed: 120
>     emergency-new: 1
>     emergency-established: 5
>     emergency-closed: 0
>   udp:
>     new: 5
>     established: 60
>     emergency-new: 5
>     emergency-established: 5
>   icmp:
>     new: 5
>     established: 60
>     emergency-new: 5
>     emergency-established: 5
> 
> stream:
>   memcap: 12gb
>   checksum-validation: no      # reject wrong csums
>   midstream: false
>   inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically
>   prealloc-sessions: 100000
>   reassembly:
>     memcap: 14gb
>     depth: 12mb                  # reassemble 1mb into a stream
>     toserver-chunk-size: 2560
>     toclient-chunk-size: 2560
>     randomize-chunk-size: yes
> 
> host:
>   hash-size: 4096
>   prealloc: 1000
>   memcap: 16777216
> 
> asn1-max-frames: 256
> 
> engine-analysis:
>   rules-fast-pattern: yes
>   rules: yes
> 
> pcre:
>   match-limit: 3500
>   match-limit-recursion: 1500
> 
> app-layer:
>   protocols:
>     tls:
>       enabled: yes
>       detection-ports:
>         dp: 443
>     dcerpc:
>       enabled: yes
>     ftp:
>       enabled: yes
>     ssh:
>       enabled: yes
>     smtp:
>       enabled: yes
>       mime:
>         decode-mime: yes
>         decode-base64: yes
>         decode-quoted-printable: yes
>         header-value-depth: 2000
>         extract-urls: yes
>     imap:
>       enabled: detection-only
>     msn:
>       enabled: detection-only
>     smb:
>       enabled: yes
>       detection-ports:
>         dp: 139
>     dns:
>       tcp:
>         enabled: yes
>         detection-ports:
>           dp: 53
>       udp:
>         enabled: yes
>         detection-ports:
>           dp: 53
>     http:
>       enabled: yes
>       # memcap: 64mb
>       libhtp:
> 
>          default-config:
>            personality: IDS
>            request-body-limit: 12mb
>            response-body-limit: 12mb
>            request-body-minimal-inspect-size: 32kb
>            request-body-inspect-window: 4kb
>            response-body-minimal-inspect-size: 32kb
>            response-body-inspect-window: 4kb
>            double-decode-path: no
>            double-decode-query: no
>          server-config:
> profiling:
>   rules:
>     enabled: yes
>     filename: rule_perf.log
>     append: yes
>     sort: avgticks
>     limit: 100
>   keywords:
>     enabled: yes
>     filename: keyword_perf.log
>     append: yes
>   packets:
>     enabled: yes
>     filename: packet_stats.log
>     append: yes
>     csv:
>       enabled: no
>       filename: packet_stats.csv
>   locks:
>     enabled: no
>     filename: lock_stats.log
>     append: yes
>   pcap-log:
>     enabled: no
>     filename: pcaplog_stats.log
>     append: yes
> 
> coredump:
>   max-dump: unlimited
> 
> napatech:
>     hba: -1
>     use-all-streams: yes
>     streams: [1, 2, 3]
>                                         
> 
> 
> -------------------------------------------------------------------
> Counter                   | TM Name                   | Value
> -------------------------------------------------------------------
> capture.kernel_packets    | RxPcapp4p11               | 3408330077
> capture.kernel_drops      | RxPcapp4p11               | 3532275578
> capture.kernel_ifdrops    | RxPcapp4p11               | 0
> dns.memuse                | RxPcapp4p11               | 3681302
> dns.memcap_state          | RxPcapp4p11               | 23601
> dns.memcap_global         | RxPcapp4p11               | 0
> decoder.pkts              | RxPcapp4p11               | 25645856945
> decoder.bytes             | RxPcapp4p11               | 17615424414799
> decoder.invalid           | RxPcapp4p11               | 3
> decoder.ipv4              | RxPcapp4p11               | 25645892638
> decoder.ipv6              | RxPcapp4p11               | 38560
> decoder.ethernet          | RxPcapp4p11               | 25645856945
> decoder.raw               | RxPcapp4p11               | 0
> decoder.sll               | RxPcapp4p11               | 0
> decoder.tcp               | RxPcapp4p11               | 24557853433
> decoder.udp               | RxPcapp4p11               | 1039077879
> decoder.sctp              | RxPcapp4p11               | 0
> decoder.icmpv4            | RxPcapp4p11               | 37915322
> decoder.icmpv6            | RxPcapp4p11               | 841
> decoder.ppp               | RxPcapp4p11               | 0
> decoder.pppoe             | RxPcapp4p11               | 0
> decoder.gre               | RxPcapp4p11               | 0
> decoder.vlan              | RxPcapp4p11               | 0
> decoder.vlan_qinq         | RxPcapp4p11               | 0
> decoder.teredo            | RxPcapp4p11               | 37722
> decoder.ipv4_in_ipv6      | RxPcapp4p11               | 0
> decoder.ipv6_in_ipv6      | RxPcapp4p11               | 0
> decoder.mpls              | RxPcapp4p11               | 0
> decoder.avg_pkt_size      | RxPcapp4p11               | 686
> decoder.max_pkt_size      | RxPcapp4p11               | 1514
> defrag.ipv4.fragments     | RxPcapp4p11               | 10923631
> defrag.ipv4.reassembled   | RxPcapp4p11               | 244568
> defrag.ipv4.timeouts      | RxPcapp4p11               | 0
> defrag.ipv6.fragments     | RxPcapp4p11               | 0
> defrag.ipv6.reassembled   | RxPcapp4p11               | 0
> defrag.ipv6.timeouts      | RxPcapp4p11               | 0
> defrag.max_frag_hits      | RxPcapp4p11               | 0
> tcp.sessions              | Detect                    | 73940345
> tcp.ssn_memcap_drop       | Detect                    | 0
> tcp.pseudo                | Detect                    | 4049413
> tcp.pseudo_failed         | Detect                    | 0
> tcp.invalid_checksum      | Detect                    | 0
> tcp.no_flow               | Detect                    | 0
> tcp.reused_ssn            | Detect                    | 535819
> tcp.memuse                | Detect                    | 25347440
> tcp.syn                   | Detect                    | 83940125
> tcp.synack                | Detect                    | 36430536
> tcp.rst                   | Detect                    | 29374857
> dns.memuse                | Detect                    | 126739227
> dns.memcap_state          | Detect                    | 866726
> dns.memcap_global         | Detect                    | 0
> tcp.segment_memcap_drop   | Detect                    | 0
> tcp.stream_depth_reached  | Detect                    | 681
> tcp.reassembly_memuse     | Detect                    | 3642377358
> tcp.reassembly_gap        | Detect                    | 5647652
> http.memuse               | Detect                    | 139211431
> http.memcap               | Detect                    | 0
> detect.alert              | Detect                    | 1997146
> flow_mgr.closed_pruned    | FlowManagerThread         | 174130092
> flow_mgr.new_pruned       | FlowManagerThread         | 64943568
> flow_mgr.est_pruned       | FlowManagerThread         | 59376251
> flow.memuse               | FlowManagerThread         | 2147483568
> flow.spare                | FlowManagerThread         | 2077070
> flow.emerg_mode_entered   | FlowManagerThread         | 0
> flow.emerg_mode_over      | FlowManagerThread         | 0
> 
> 
> _______________________________________________
> Discussion mailing list
> Discussion at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Discussion mailing list