[Oisf-users] getting started with suri -- tuning

Heine Lysemose lysemose at gmail.com
Thu Aug 1 19:56:04 UTC 2013


Does this blog post help you,
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html?


Regards,
Lysemose
On Aug 1, 2013 8:34 PM, "Theodore Elhourani" <theodore.elhourani at gmail.com>
wrote:

> Why is it important to have offloading off and Suricata seeing raw (MTU
> sized) packets ?
> Are there specific types of exploits that may not be detected if we allow
> larger sized packets?
>
> Can someone help clarify this point ?
>
> Thanks,
> Ted
>
>
> On Mon, Jul 29, 2013 at 6:51 AM, Duarte Silva <duarte.silva at serializing.me
> > wrote:
>
>> On Saturday 27 July 2013 23:55:04 Russell Fulton wrote:
>> > On 27/07/2013, at 11:26 AM, Russell Fulton <r.fulton at auckland.ac.nz>
>> wrote:
>> > > Hi
>> > >
>> > > I now have suri running on my test sensor (ubuntu with suri from
>> current
>> > > security onion packages).  Machine has 16 cores and 8GB of memory and
>> is
>> > > seeing order or 800Mbps traffic.  Currently using Pcap while I get the
>> > > pf_ring stuff sorted out.
>> > That should have been 32GB memory — the recommended 2GB per core!
>> >
>> > > Suri is reporting dropping 70% the packets.  I have used the config
>> file
>> > > that came with SO package — suitably tweaked for our setup.
>> > Making progress :)
>> >
>> > The main issues seems to have been that I was using pcap. Things behave
>> > sensibly when I use either af_packet or pfring.
>> >
>> > I had to raise the flow.memcap to avoid the "Flow emergency mode over,
>> back
>> > to normal… " messages.
>> >
>> > I am sure that I will need to do more tuning before this goes into
>> > production but it will do for the moment.
>> >
>> > Thanks for the pointers.
>> >
>> > Russell
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>>
>> Hi Russell,
>>
>> one thing you can also try is to set CPU affinity for each receive queue,
>> increase the RX ring buffer size to the maximum that is allowed by the
>> hardware
>> and disabling the offload capabilities of the network interface.
>>
>> Follows example, note that the IRQ affinity and the RX queue balancing is
>> for a
>> four core processor.
>>
>> # Increase the RX ring buffer on the sniffing interface
>> ethtool -G eth1 rx 4096
>>
>> # Disable offload features
>> ethtool -K eth1 rx off
>> ethtool -K eth1 tx off
>> ethtool -K eth1 sg off
>> ethtool -K eth1 tso off
>> ethtool -K eth1 gso off
>> ethtool -K eth1 gro off
>> ethtool -K eth1 lro off
>> ethtool -K eth1 rxvlan off
>> ethtool -K eth1 txvlan off
>>
>> # Set the IRQ affinity
>> echo 1 >/proc/irq/80/smp_affinity
>> echo 2 >/proc/irq/81/smp_affinity
>> echo 4 >/proc/irq/82/smp_affinity
>> echo 8 >/proc/irq/83/smp_affinity
>>
>> # Balance evenly the receive queues
>> ethtool -X eth1 equal 4
>>
>> Regards,
>> Duarte
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130801/46006859/attachment-0002.html>


More information about the Oisf-users mailing list