[Oisf-users] getting started with suri -- tuning

Theodore Elhourani theodore.elhourani at gmail.com
Thu Aug 1 18:34:27 UTC 2013


Why is it important to have offloading off and Suricata seeing raw (MTU
sized) packets ?
Are there specific types of exploits that may not be detected if we allow
larger sized packets?

Can someone help clarify this point ?

Thanks,
Ted


On Mon, Jul 29, 2013 at 6:51 AM, Duarte Silva
<duarte.silva at serializing.me>wrote:

> On Saturday 27 July 2013 23:55:04 Russell Fulton wrote:
> > On 27/07/2013, at 11:26 AM, Russell Fulton <r.fulton at auckland.ac.nz>
> wrote:
> > > Hi
> > >
> > > I now have suri running on my test sensor (ubuntu with suri from
> current
> > > security onion packages).  Machine has 16 cores and 8GB of memory and
> is
> > > seeing order or 800Mbps traffic.  Currently using Pcap while I get the
> > > pf_ring stuff sorted out.
> > That should have been 32GB memory — the recommended 2GB per core!
> >
> > > Suri is reporting dropping 70% the packets.  I have used the config
> file
> > > that came with SO package — suitably tweaked for our setup.
> > Making progress :)
> >
> > The main issues seems to have been that I was using pcap. Things behave
> > sensibly when I use either af_packet or pfring.
> >
> > I had to raise the flow.memcap to avoid the "Flow emergency mode over,
> back
> > to normal… " messages.
> >
> > I am sure that I will need to do more tuning before this goes into
> > production but it will do for the moment.
> >
> > Thanks for the pointers.
> >
> > Russell
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
> Hi Russell,
>
> one thing you can also try is to set CPU affinity for each receive queue,
> increase the RX ring buffer size to the maximum that is allowed by the
> hardware
> and disabling the offload capabilities of the network interface.
>
> Follows example, note that the IRQ affinity and the RX queue balancing is
> for a
> four core processor.
>
> # Increase the RX ring buffer on the sniffing interface
> ethtool -G eth1 rx 4096
>
> # Disable offload features
> ethtool -K eth1 rx off
> ethtool -K eth1 tx off
> ethtool -K eth1 sg off
> ethtool -K eth1 tso off
> ethtool -K eth1 gso off
> ethtool -K eth1 gro off
> ethtool -K eth1 lro off
> ethtool -K eth1 rxvlan off
> ethtool -K eth1 txvlan off
>
> # Set the IRQ affinity
> echo 1 >/proc/irq/80/smp_affinity
> echo 2 >/proc/irq/81/smp_affinity
> echo 4 >/proc/irq/82/smp_affinity
> echo 8 >/proc/irq/83/smp_affinity
>
> # Balance evenly the receive queues
> ethtool -X eth1 equal 4
>
> Regards,
> Duarte
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130801/c8db2191/attachment.html>


More information about the Oisf-users mailing list