[Oisf-users] performance on VM
Peter Manev
petermanev at gmail.com
Wed Aug 7 20:28:50 UTC 2013
On Wed, Aug 7, 2013 at 10:18 AM, Duarte Silva
<duarte.silva at serializing.me> wrote:
> Hi Theodore,
>
> tunning Suricata in a VM is no different from a bare hardware solution. The
> same basic principles apply. You can check this thread [1], it contains a lot
> of pointers.
>
> There isn't a recipe though, every setup is different, but usually after
> fiddling for some time you will get it right :D
>
You could try afpacket or pfring.
Make sure you have the flow timeout values set right in the suricata.yaml.
There are plenty of tcp/htp memcaps to tweek with
(stream/reassembly/depth). You could see in stats log what is hitting
the memlimits and maybe readjust some memcaps/timeouts based on that.
There is also the checksum validation that could be useful set to "no"
especially if on VMware - most VMs have a lot of offloading features
enabled by default (gro/tso...) - ethtool -k eth1 -> to find out what
is sett to offload (on) and what not. NOTE - some guest network card
features are nonadjustable under 2008 Hyper-V host, but you are
referring to VMware so this is different.
Just a suggestion for starters :)
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list