[Oisf-users] Tuning Suricata (2.0beta1) -- no rules and lots of packet loss

Anoop Saldanha anoopsaldanha at gmail.com
Thu Aug 15 06:45:49 UTC 2013


Tritium,

Also have you disabled the dns parsers like specified in the other mail thread?

On Thu, Aug 15, 2013 at 11:54 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You don't have enough memory, you need at least two gigs per core.  On
> my sensor I have three, so I run with deep ring buffers.  So, you need
> at least 96 gigs of RAM on your system (I see you have 64 from the top
> printout).  Try setting your ring size small (like 50000) or getting
> more memory.
>
> Did you restart irqbalance after you updated the driver?  I've had a
> similar issue in the past that was fixed by restarting irqbalance.
>
> IF you really have a limit of 32 RX queues, there is an easy fix for
> this.  Just set the 'threads' section in af-packet mode to '32' and it
> will use the first 32 cores only.  This will also fix your memory
> issues, as only 32 ring buffers will be allocated.
>
> - -Coop
>
> On 8/14/2013 11:03 PM, Tritium Cat wrote:
>> I tried all of your recommendations and performance is worse.  Short of
>> having the exact same server and single card there's nothing else I can
>> match exactly.
>>
>> ring-size=300000 exhausts memory and swap.  Even ring-size=100000 is taxing
>> on the system and consumes 56GB ram.
>>
>> Also updated ixgbe to latest version as recommended on the blog.  Not sure
>> if this is connected but oddly it seems now I am reaching a limit of 32
>> CPUs/queues with unused cores at 100% idle.  I think there are some errors
>> on the blog too with the ixgbe parameters and expectations of queues but
>> that is besides the point.  (FdirPballoc is for hardware filters and not
>> relevant here?)
>>
>> I cannot explain the feeling of how old this is becoming especially when
>> all others seem to have success.  I guess maybe the answer must be
>> filtering out lots of traffic however the traffic profile is definitely
>> less than the 1M to 1.5M pps mentioned in the blog.  (The blog server is
>> less powerful too?)
>>
>> For now I will just be happy with dropping 10-40% and restarting the IDS
>> daily, a half working IDS is better than no IDS :p
>>
>> Thanks for the detail it is still helpful.  Better luck tomorrow !
>>
>> --TC
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSDHQlAAoJEKIFRYQsa8FW52cH/Ra9hCCkaILihWKhpIozi7Fh
> phjTjJckrsPjOAbtHmUvQmA/JY+D4rY3POyLWOgTsoeXdYOXqPs4dLkpSZtGwND0
> NLLz5IBDzQk5GRzqryAKbb9q3SXm+c4bOdc6ML/7sTVhfSNDHCjVygzynubHMVbz
> 6asVSeXUtiEj6OlCtOMlB2B6eJfeYb+lFwpIonK2JZeBI5EgSkhUPj0JNsZLrSsP
> Nu+eEFi37kG0YwoqgYvVcTOWkHRNLgd88e0DsaqraM7sVfJ3GGd11IL6aHwk8riF
> xLRhiFoyD5sCIHgB7yzEwHJtgHkRGkJ+JAmQ6tWGMkvZmx/i7uZG0cQgM6+TDQE=
> =lg89
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------



More information about the Oisf-users mailing list