[Oisf-devel] Suricata performance in ips-copy mode
Peter Manev
petermanev at gmail.com
Tue Jun 11 08:07:04 UTC 2013
On Tue, Jun 11, 2013 at 7:23 AM, Arun Dheena <adheena at tilera.com> wrote:
> Hello.
>
> We are trying to measure the performance for suricata in ips-copy mode on Intel (Sandy Bridge 8 core system E5-2670 0 @ 2.60GHz).
> I have configured suricata with af-packet copy mode as mentioned in the blog here..
>
> https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
>
> Attached is the yaml file.
> We are using Ubuntu Linux 3.8.0, with Mellanox adater (irq balance enabled) and suricata version 1.4.2
>
> Would like to know from the experts :
>
> [1] What is the expected throughput range for 10K HTTP sessions, with zero rules and with all the traffic matches the HOME_NET ?
> None of the traffic are threat traffic.
> We are getting around 3Gbps.
>
> [2] Just a note, we are seeing kernel capture drops with the traffic / configuration as mentioned in [1] for all the threads.
>
> [3] Any other parameter / suggestion that could significantly change the performance for intel
> in ips-copy mode.
>
> Thanks Much for the help
> Arun
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
Hi,
My suggestions for starters (so we can figure out the best config for
your traffic ):
1.
max-sessions: 200000
prealloc-sessions: 200000
multiply the above by 100
2.
Profile and see what is your traffic mostly doing (TCP/UDP...)
3.
If (1) does not help for the drops and after seeing (2) , divide the
flow timeouts by 5ish/10ish where necessary (example):
flow-timeouts:
default:
new: 3
established: 30
closed: 0
emergency-new: 1
emergency-established: 10
emergency-closed: 0
tcp:
new: 5
established: 360
closed: 10
emergency-new: 2
emergency-established: 30
emergency-closed: 5
udp:
new: 3
established: 30
emergency-new: 5
emergency-established: 10
icmp:
new: 10
established: 30
emergency-new: 5
emergency-established: 10
Thank you
--
Regards,
Peter Manev
More information about the Oisf-devel
mailing list