[Oisf-users] memcap drops etc

Peter Manev petermanev at gmail.com
Thu Dec 6 11:58:18 UTC 2012 

On Thu, Dec 6, 2012 at 12:26 PM, Christophe Vandeplas <
christophe at vandeplas.com> wrote:

> trying to reply to all the questions, also from Anoop.
>
> On Thu, Dec 6, 2012 at 11:55 AM, Peter Manev <petermanev at gmail.com> wrote:
> > Hi Cristophe,
> >
> > sorry  - i missed the info from you.
> > Ok HW is definitely enough for that traffic.
> >
> > Do you use af_packet?
>
> no, I'll activate it on this IDS by using the  eth2 interface only.
> Fortunately that's an IDS where the bond0 was not really necessary,
> but we prefer to keep every IDS as identical as possible. I'll have to
> dig into the AF_PACKET documentation to understand how I should
> configure it to receive on two physical interfaces.
>
> > Is Suriata running on all 8 cores?
>
> yep, on every machine it uses CPU from all cores.
>
> > bond0 interface - is that bridged by any chance?
>
> nope, that is/was not bridged. As I just switched to direct interface
> usage with AF_PACKET to eth2. This is not relevant anymore.
>
> /etc/network/interfaces is
> auto eth2
> iface eth2 inet manual
>     pre-up ifconfig $IFACE up promisc
>     post-down ifconfig $IFACE down
>     bond-master bond0
>
> # bonding interfaces for easier sniffing
> auto bond0
> iface bond0 inet manual
>     pre-up ifconfig $IFACE up promisc
>     post-down ifconfig $IFACE down
>     bond-mode balance-rr
>     bond-miimon 100
>     bond-slaves none
>
>
> > Do you have checksums enabled or disabled?
>
> enabled (as shown below)
>
> > FlowTimeout values - you should try to lower them.
>
> ok,
>
> > Can you describe the ruleset you're using?
>
>  44538 signatures processed. 711 are IP-only rules, 43495 are
> inspecting packet payload, 13901 inspect application layer, 0 are
> decoder event only
>
do i read this correctly - 44K rules? :)
But more importantly - which Suriacta ver are you using?


>
> the ruleset is very simple with tcp, http and udp filters. Nothing
> really spectacular.
> I wouldn't expect the ruleset to be a problem because CPU load is very
> very low. (even on the 130Mbps IDS it's only at 150-180% of the 800%
> available)
>
>
> I'll re-read what Victor said and will continue hunting for the cause.
> Thanks for all these fast replies !
>
> Christophe
>
> >
> > thank you
> >
> >
> > On Thu, Dec 6, 2012 at 11:40 AM, Christophe Vandeplas
> > <christophe at vandeplas.com> wrote:
> >>
> >> On Thu, Dec 6, 2012 at 11:21 AM, Peter Manev <petermanev at gmail.com>
> wrote:
> >> > Hi,
> >> >
> >> > what (how much) traffic do you average?
> >>
> >> Hello Peter,
> >>
> >> That was written in my mail, one of the IDSses sees only 15Mbps during
> >> the day on average. Spikes up to 40Mbps (but very short spikes 4 times
> >> a day). That should certainly be feasible with such a system.
> >>
> >> Once I get that IDS working fine I'll finetune the settings of the
> >> others. (150 Mbps and 80 Mbps on average during the day)
> >>
> >>
> >> > On Thu, Dec 6, 2012 at 11:17 AM, Christophe Vandeplas
> >> > <christophe at vandeplas.com> wrote:
> >> >>
> >> >> Hello,
> >> >>
> >> >>
> >> >> Almost all my IDSses are having
> >> >> tcp.segment_memcap_drop
> >> >> tcp.reassembly_gap
> >> >>
> >> >> And some of them have
> >> >> tcp.ssn_memcap_drop
> >> >>
> >> >> I have been playing around with the memory settings in suricata, but
> I
> >> >> must admit it still looks very unclear to me, any help would really
> be
> >> >> appreciated.
> >> >>
> >> >> To attack this problem I'm now concentrating my efforts on the IDS
> >> >> dealing with the least traffic: during the day average of 15 Mbps.
> >> >> The IDS has 8 virtual-cores (4-core + ht = 8 ), and 8 GB of ram. And
> >> >> is sniffing using -i on a bond0 interface.
> >> >>
> >> >> The stats file is here: http://pastebin.com/kSVFDHRM
> >> >>
> >> >>
> >> >> Outputs that are on: fast, unified2, http, stats, syslog.
> >> >> I did not change anything in the threading section.
> >> >> Defrag is also default:
> >> >> defrag:
> >> >>   max-frags: 65535
> >> >>   prealloc: yes
> >> >>   timeout: 60
> >> >>
> >> >> Raised flow:
> >> >> flow:
> >> >>   memcap: 2gb
> >> >>   hash-size: 65536
> >> >>   prealloc: 10000
> >> >>   emergency-recovery: 30
> >> >>   prune-flows: 5
> >> >>
> >> >> Flow-timeouts are default, and I raised stream memcaps:
> >> >> stream:
> >> >>   memcap: 2gb
> >> >>   checksum-validation: yes      # reject wrong csums
> >> >>   inline: no                    # no inline mode
> >> >>   reassembly:
> >> >>     memcap: 1gb
> >> >>     depth: 8mb                  # reassemble 1mb into a stream
> >> >>     toserver-chunk-size: 2560
> >> >>     toclient-chunk-size: 2560
> >> >>
> >> >>
> >> >> Any advice to further finetune is welcome !
> >> >>
> >> >> Thanks a lot
> >> >> Christophe
> >> >> _______________________________________________
> >> >> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> >> >> Site: http://suricata-ids.org | Support:
> >> >> http://suricata-ids.org/support/
> >> >> List:
> >> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >> OISF: http://www.openinfosecfoundation.org/
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Regards,
> >> > Peter Manev
> >> >
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121206/db4d9428/attachment-0002.html>

More information about the Oisf-users mailing list