[Oisf-users] where are my missing packets ?

Victor Julien victor at inliniac.net
Thu Feb 23 07:48:57 UTC 2012 

Enabling hyper threading is also recommended. It's not magic, but it
will gain you some.

Btw, can you share a record of the stats.log after Suricata has been
running for some time?

Cheers,
Victor

On 02/23/2012 03:16 AM, Martin Holste wrote:
> The biggest performance boost you can get is to run with the pattern
> matcher as "ac" and all of the settings on "high" in the tuning.  This
> will use a lot of RAM--you may not have enough to run all of the rules
> you want.  I highly suggest adding as much RAM as possible, running ac
> with autofp, and use PF_RING with or without the proper Broadcom
> driver.
> 
> In the stats file, look at the tcp.segment_memcap_drop and
> tcp.ssn_memcap_drop.  If you see drops there, you need to up the
> buffers even more for memcap, etc.
> 
> Regarding comparison to another IDS:  Suricata may be doing a lot more
> work than the other setup.  Remember that it is actually
> deconstructing every HTTP session before it even gets to the pattern
> matching.  This is powerful stuff, and it costs CPU time.  Also, keep
> in mind the number of rules being run when making comparisons.
> 
> One good baseline for a sanity check is to disable all of the rules
> and run Suricata for a bit.  Make sure that it isn't dropping packets
> just doing stream reassembly and HTTP analysis.  Once you've verified
> it's not dropping there, then you know that tweaking the number of
> rules and/or the pattern matching settings will provide a benefit.
> That server should definitely be able to handle 400 Mb/sec, one way or
> another.
> 
> On Wed, Feb 22, 2012 at 6:15 PM, mc8647 <mc8647 at mclink.it> wrote:
>> Thanks for reply.
>>
>> The server is a HP DL360G7, it has 4 onboard lan ports...
>>
>> We are testing a proprietary IDS with another mirror port on a twin
>> server (they are identically configured hardware).
>>
>> This proprietary IDS runs inside a esx4 VM with 8 cpu and it has no
>> missing packets!
>>
>> So with less CPUs, less ram, and with esx overhead it is able to not
>> lose packets. I think it is linux based with highly personlized setup,
>> for example it supports just 3 hardware servers and esx VMs.
>>
>>
>> "If I stop suricata with ctrl-c I get a message stating about 25%
>> packets missed." should have been
>>
>> If I stop suricata with ctrl-c I get a message stating that from 3 to about 25% packets were missed depending on the run.
>>
>> Francesco
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list