[Oisf-users] getting started with suri -- tuning
Russell Fulton
r.fulton at auckland.ac.nz
Fri Jul 26 23:26:43 UTC 2013
Hi
I now have suri running on my test sensor (ubuntu with suri from current security onion packages). Machine has 16 cores and 8GB of memory and is seeing order or 800Mbps traffic. Currently using Pcap while I get the pf_ring stuff sorted out.
Suri is reporting dropping 70% the packets. I have used the config file that came with SO package — suitably tweaked for our setup.
Currently running the full ETPRO rule set.
here is a stats output:
Date: 7/26/2013 -- 14:31:54 (uptime: 0d, 00h 01m 32s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPcapeth21 | 23599804
capture.kernel_drops | RxPcapeth21 | 21082434
capture.kernel_ifdrops | RxPcapeth21 | 0
decoder.pkts | RxPcapeth21 | 2515967
decoder.bytes | RxPcapeth21 | 2349840746
decoder.ipv4 | RxPcapeth21 | 2486962
decoder.ipv6 | RxPcapeth21 | 65854
decoder.ethernet | RxPcapeth21 | 2515967
decoder.raw | RxPcapeth21 | 0
decoder.sll | RxPcapeth21 | 0
decoder.tcp | RxPcapeth21 | 915676
decoder.udp | RxPcapeth21 | 483078
decoder.sctp | RxPcapeth21 | 0
decoder.icmpv4 | RxPcapeth21 | 4666
decoder.icmpv6 | RxPcapeth21 | 299
decoder.ppp | RxPcapeth21 | 60
decoder.pppoe | RxPcapeth21 | 0
decoder.gre | RxPcapeth21 | 78
decoder.vlan | RxPcapeth21 | 0
decoder.teredo | RxPcapeth21 | 36898
decoder.ipv4_in_ipv6 | RxPcapeth21 | 0
decoder.ipv6_in_ipv6 | RxPcapeth21 | 0
decoder.avg_pkt_size | RxPcapeth21 | 934
decoder.max_pkt_size | RxPcapeth21 | 1482
defrag.ipv4.fragments | RxPcapeth21 | 307
defrag.ipv4.reassembled | RxPcapeth21 | 11
defrag.ipv4.timeouts | RxPcapeth21 | 0
defrag.ipv6.fragments | RxPcapeth21 | 279
defrag.ipv6.reassembled | RxPcapeth21 | 26
defrag.ipv6.timeouts | RxPcapeth21 | 0
defrag.max_frag_hits | RxPcapeth21 | 0
tcp.sessions | Detect | 18145
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 15
tcp.invalid_checksum | Detect | 606
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 12058624
tcp.syn | Detect | 19130
tcp.synack | Detect | 16282
tcp.rst | Detect | 8280
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 11292544
tcp.reassembly_gap | Detect | 26
detect.alert | Detect | 0
flow_mgr.closed_pruned | FlowManagerThread | 53074
flow_mgr.new_pruned | FlowManagerThread | 25531
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 30216944
flow.spare | FlowManagerThread | 10187
flow.emerg_mode_entered | FlowManagerThread | 1
flow.emerg_mode_over | FlowManagerThread | 1
-------------------------------------------------------------------
How do I figure out what is wrong?
Russell
More information about the Oisf-users
mailing list