[Oisf-users] where are my missing packets ?

Martin Holste mcholste at gmail.com
Thu Feb 23 02:16:11 UTC 2012 

The biggest performance boost you can get is to run with the pattern
matcher as "ac" and all of the settings on "high" in the tuning.  This
will use a lot of RAM--you may not have enough to run all of the rules
you want.  I highly suggest adding as much RAM as possible, running ac
with autofp, and use PF_RING with or without the proper Broadcom
driver.

In the stats file, look at the tcp.segment_memcap_drop and
tcp.ssn_memcap_drop.  If you see drops there, you need to up the
buffers even more for memcap, etc.

Regarding comparison to another IDS:  Suricata may be doing a lot more
work than the other setup.  Remember that it is actually
deconstructing every HTTP session before it even gets to the pattern
matching.  This is powerful stuff, and it costs CPU time.  Also, keep
in mind the number of rules being run when making comparisons.

One good baseline for a sanity check is to disable all of the rules
and run Suricata for a bit.  Make sure that it isn't dropping packets
just doing stream reassembly and HTTP analysis.  Once you've verified
it's not dropping there, then you know that tweaking the number of
rules and/or the pattern matching settings will provide a benefit.
That server should definitely be able to handle 400 Mb/sec, one way or
another.

On Wed, Feb 22, 2012 at 6:15 PM, mc8647 <mc8647 at mclink.it> wrote:
> Thanks for reply.
>
> The server is a HP DL360G7, it has 4 onboard lan ports...
>
> We are testing a proprietary IDS with another mirror port on a twin
> server (they are identically configured hardware).
>
> This proprietary IDS runs inside a esx4 VM with 8 cpu and it has no
> missing packets!
>
> So with less CPUs, less ram, and with esx overhead it is able to not
> lose packets. I think it is linux based with highly personlized setup,
> for example it supports just 3 hardware servers and esx VMs.
>
>
> "If I stop suricata with ctrl-c I get a message stating about 25%
> packets missed." should have been
>
> If I stop suricata with ctrl-c I get a message stating that from 3 to about 25% packets were missed depending on the run.
>
> Francesco
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list