[Oisf-users] where are my missing packets ?

Peter Manev petermanev at gmail.com
Thu Feb 23 08:29:58 UTC 2012 

On Thu, Feb 23, 2012 at 8:48 AM, Victor Julien <victor at inliniac.net> wrote:

> Enabling hyper threading is also recommended. It's not magic, but it
> will gain you some.
>
> Btw, can you share a record of the stats.log after Suricata has been
> running for some time?
>
> Cheers,
> Victor
>
> On 02/23/2012 03:16 AM, Martin Holste wrote:
> > The biggest performance boost you can get is to run with the pattern
> > matcher as "ac" and all of the settings on "high" in the tuning.  This
> > will use a lot of RAM--you may not have enough to run all of the rules
> > you want.  I highly suggest adding as much RAM as possible, running ac
> > with autofp, and use PF_RING with or without the proper Broadcom
> > driver.
> >
> > In the stats file, look at the tcp.segment_memcap_drop and
> > tcp.ssn_memcap_drop.  If you see drops there, you need to up the
> > buffers even more for memcap, etc.
> >
> > Regarding comparison to another IDS:  Suricata may be doing a lot more
> > work than the other setup.  Remember that it is actually
> > deconstructing every HTTP session before it even gets to the pattern
> > matching.  This is powerful stuff, and it costs CPU time.  Also, keep
> > in mind the number of rules being run when making comparisons.
> >
> > One good baseline for a sanity check is to disable all of the rules
> > and run Suricata for a bit.  Make sure that it isn't dropping packets
> > just doing stream reassembly and HTTP analysis.  Once you've verified
> > it's not dropping there, then you know that tweaking the number of
> > rules and/or the pattern matching settings will provide a benefit.
> > That server should definitely be able to handle 400 Mb/sec, one way or
> > another.
> >
> > On Wed, Feb 22, 2012 at 6:15 PM, mc8647 <mc8647 at mclink.it> wrote:
> >> Thanks for reply.
> >>
> >> The server is a HP DL360G7, it has 4 onboard lan ports...
> >>
> >> We are testing a proprietary IDS with another mirror port on a twin
> >> server (they are identically configured hardware).
> >>
> >> This proprietary IDS runs inside a esx4 VM with 8 cpu and it has no
> >> missing packets!
> >>
> >> So with less CPUs, less ram, and with esx overhead it is able to not
> >> lose packets. I think it is linux based with highly personlized setup,
> >> for example it supports just 3 hardware servers and esx VMs.
> >>
> >>
> >> "If I stop suricata with ctrl-c I get a message stating about 25%
> >> packets missed." should have been
> >>
> >> If I stop suricata with ctrl-c I get a message stating that from 3 to
> about 25% packets were missed depending on the run.
> >>
> >> Francesco
> >>
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>


I agree with Martin - up the buffers.
BTW - if you load Suricata 1.2.1 (on an empty interface, no traffic) - how
much mem is taken for 4K rules?


thanks
-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120223/5bc3f04e/attachment-0002.html>

More information about the Oisf-users mailing list