[Oisf-users] Suricata and CPU threads
Martin Holste
mcholste at gmail.com
Thu Aug 23 15:23:16 UTC 2012
You should set the cluster-id for pfring as well as the cluster-type:
cluster_flow in suricata.yaml. Also, you should set threads: 8 (no
more than 8 or you get diminishing returns). If you set the
interface, then you can start with --pfring instead of --pfring-int= .
On Thu, Aug 23, 2012 at 6:53 AM, Peter Bates <peter.bates at ucl.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> First of all, congratulations on Suricata 1.3.1!
>
> I've been reading the 'Threading' section of
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
>
> and would still appreciate a few pointers.
>
> I'm intending to use PF_RING for packet capture and am used to
> spawning multiple instances of Snort which are specifically bound to
> CPU cores -
> and also running 'set_irq_affinity.sh' to tie ixgbe IRQs to specific
> cores.
>
> I have 16 cores/32 threads - will the default suricata.yaml work
> accordingly if I select --pfring-int=ethX ?
>
> I'm tempted to compare AF_PACKET + PACKET_FANOUT against PF_RING but
> I'm not keen on running too many 'experimental' (to quote
> suricata.yaml) features.
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJQNhnKAAoJELhVoVpEMS6RulkIALHEKS7mz8lj4/j4TUDtjiH9
> 57dwxCOl9rWaapNGRoJ0VFK3UNBbto0C7T5eGgMGRWU79B+TBDFj2Qs4O0Xy5E91
> bXB304+D0blhJ9cZ+2pwE43KmQs9rMBiiRS0aAJeMRRcnrK8htQidrxd643OsN+V
> DU4PJ3SnlgHn8cx5DAEZCyyZCWn3WacPWmMktQzUEUCA5bQCWNbarUhTPNo+7llV
> +GoIglk/5Jn3MgQ1J0oqx2HlprVdviSvkxFNEpF/uUPQKLpZyW0RjsKv2zuiMjtu
> UxsqYWHdcnelZ9/8Z8V23CVncczgvqFWxlTegT7RdHOCrnDqG7Uy+n67wLE8sDs=
> =rmoA
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list