[Oisf-users] memcap drops etc

Christophe Vandeplas christophe at vandeplas.com
Thu Dec 6 11:26:49 UTC 2012 

trying to reply to all the questions, also from Anoop.

On Thu, Dec 6, 2012 at 11:55 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi Cristophe,
>
> sorry  - i missed the info from you.
> Ok HW is definitely enough for that traffic.
>
> Do you use af_packet?

no, I'll activate it on this IDS by using the  eth2 interface only.
Fortunately that's an IDS where the bond0 was not really necessary,
but we prefer to keep every IDS as identical as possible. I'll have to
dig into the AF_PACKET documentation to understand how I should
configure it to receive on two physical interfaces.

> Is Suriata running on all 8 cores?

yep, on every machine it uses CPU from all cores.

> bond0 interface - is that bridged by any chance?

nope, that is/was not bridged. As I just switched to direct interface
usage with AF_PACKET to eth2. This is not relevant anymore.

/etc/network/interfaces is
auto eth2
iface eth2 inet manual
    pre-up ifconfig $IFACE up promisc
    post-down ifconfig $IFACE down
    bond-master bond0

# bonding interfaces for easier sniffing
auto bond0
iface bond0 inet manual
    pre-up ifconfig $IFACE up promisc
    post-down ifconfig $IFACE down
    bond-mode balance-rr
    bond-miimon 100
    bond-slaves none


> Do you have checksums enabled or disabled?

enabled (as shown below)

> FlowTimeout values - you should try to lower them.

ok,

> Can you describe the ruleset you're using?

 44538 signatures processed. 711 are IP-only rules, 43495 are
inspecting packet payload, 13901 inspect application layer, 0 are
decoder event only

the ruleset is very simple with tcp, http and udp filters. Nothing
really spectacular.
I wouldn't expect the ruleset to be a problem because CPU load is very
very low. (even on the 130Mbps IDS it's only at 150-180% of the 800%
available)


I'll re-read what Victor said and will continue hunting for the cause.
Thanks for all these fast replies !

Christophe

>
> thank you
>
>
> On Thu, Dec 6, 2012 at 11:40 AM, Christophe Vandeplas
> <christophe at vandeplas.com> wrote:
>>
>> On Thu, Dec 6, 2012 at 11:21 AM, Peter Manev <petermanev at gmail.com> wrote:
>> > Hi,
>> >
>> > what (how much) traffic do you average?
>>
>> Hello Peter,
>>
>> That was written in my mail, one of the IDSses sees only 15Mbps during
>> the day on average. Spikes up to 40Mbps (but very short spikes 4 times
>> a day). That should certainly be feasible with such a system.
>>
>> Once I get that IDS working fine I'll finetune the settings of the
>> others. (150 Mbps and 80 Mbps on average during the day)
>>
>>
>> > On Thu, Dec 6, 2012 at 11:17 AM, Christophe Vandeplas
>> > <christophe at vandeplas.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >>
>> >> Almost all my IDSses are having
>> >> tcp.segment_memcap_drop
>> >> tcp.reassembly_gap
>> >>
>> >> And some of them have
>> >> tcp.ssn_memcap_drop
>> >>
>> >> I have been playing around with the memory settings in suricata, but I
>> >> must admit it still looks very unclear to me, any help would really be
>> >> appreciated.
>> >>
>> >> To attack this problem I'm now concentrating my efforts on the IDS
>> >> dealing with the least traffic: during the day average of 15 Mbps.
>> >> The IDS has 8 virtual-cores (4-core + ht = 8 ), and 8 GB of ram. And
>> >> is sniffing using -i on a bond0 interface.
>> >>
>> >> The stats file is here: http://pastebin.com/kSVFDHRM
>> >>
>> >>
>> >> Outputs that are on: fast, unified2, http, stats, syslog.
>> >> I did not change anything in the threading section.
>> >> Defrag is also default:
>> >> defrag:
>> >>   max-frags: 65535
>> >>   prealloc: yes
>> >>   timeout: 60
>> >>
>> >> Raised flow:
>> >> flow:
>> >>   memcap: 2gb
>> >>   hash-size: 65536
>> >>   prealloc: 10000
>> >>   emergency-recovery: 30
>> >>   prune-flows: 5
>> >>
>> >> Flow-timeouts are default, and I raised stream memcaps:
>> >> stream:
>> >>   memcap: 2gb
>> >>   checksum-validation: yes      # reject wrong csums
>> >>   inline: no                    # no inline mode
>> >>   reassembly:
>> >>     memcap: 1gb
>> >>     depth: 8mb                  # reassemble 1mb into a stream
>> >>     toserver-chunk-size: 2560
>> >>     toclient-chunk-size: 2560
>> >>
>> >>
>> >> Any advice to further finetune is welcome !
>> >>
>> >> Thanks a lot
>> >> Christophe
>> >> _______________________________________________
>> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >> Site: http://suricata-ids.org | Support:
>> >> http://suricata-ids.org/support/
>> >> List:
>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> OISF: http://www.openinfosecfoundation.org/
>> >
>> >
>> >
>> >
>> > --
>> > Regards,
>> > Peter Manev
>> >
>
>
>
>
> --
> Regards,
> Peter Manev
>

More information about the Oisf-users mailing list