[Oisf-users] getting started with suri -- tuning
Russell Fulton
r.fulton at auckland.ac.nz
Sat Jul 27 08:58:21 UTC 2013
Thanks rmkml!
I had an older version of this. I will work through this next week.
Russell
On 27/07/2013, at 8:06 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Russell,
>
> Do you have followed please ?:
>
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>
> Regards
> @Rmkml
>
>
>
>
> -------- Message d'origine --------
> De : Russell Fulton <r.fulton at auckland.ac.nz>
> Date :
> A : oisf-users at openinfosecfoundation.org
> Objet : [Oisf-users] getting started with suri -- tuning
>
>
> Hi
>
> I now have suri running on my test sensor (ubuntu with suri from current security onion packages). Machine has 16 cores and 8GB of memory and is seeing order or 800Mbps traffic. Currently using Pcap while I get the pf_ring stuff sorted out.
>
> Suri is reporting dropping 70% the packets. I have used the config file that came with SO package — suitably tweaked for our setup.
>
> Currently running the full ETPRO rule set.
>
> here is a stats output:
>
> Date: 7/26/2013 -- 14:31:54 (uptime: 0d, 00h 01m 32s)
> -------------------------------------------------------------------
> Counter | TM Name | Value
> -------------------------------------------------------------------
> capture.kernel_packets | RxPcapeth21 | 23599804
> capture.kernel_drops | RxPcapeth21 | 21082434
> capture.kernel_ifdrops | RxPcapeth21 | 0
> decoder.pkts | RxPcapeth21 | 2515967
> decoder.bytes | RxPcapeth21 | 2349840746
> decoder.ipv4 | RxPcapeth21 | 2486962
> decoder.ipv6 | RxPcapeth21 | 65854
> decoder.ethernet | RxPcapeth21 | 2515967
> decoder.raw | RxPcapeth21 | 0
> decoder.sll | RxPcapeth21 | 0
> decoder.tcp | RxPcapeth21 | 915676
> decoder.udp | RxPcapeth21 | 483078
> decoder.sctp | RxPcapeth21 | 0
> decoder.icmpv4 | RxPcapeth21 | 4666
> decoder.icmpv6 | RxPcapeth21 | 299
> decoder.ppp | RxPcapeth21 | 60
> decoder.pppoe | RxPcapeth21 | 0
> decoder.gre | RxPcapeth21 | 78
> decoder.vlan | RxPcapeth21 | 0
> decoder.teredo | RxPcapeth21 | 36898
> decoder.ipv4_in_ipv6 | RxPcapeth21 | 0
> decoder.ipv6_in_ipv6 | RxPcapeth21 | 0
> decoder.avg_pkt_size | RxPcapeth21 | 934
> decoder.max_pkt_size | RxPcapeth21 | 1482
> defrag.ipv4.fragments | RxPcapeth21 | 307
> defrag.ipv4.reassembled | RxPcapeth21 | 11
> defrag.ipv4.timeouts | RxPcapeth21 | 0
> defrag.ipv6.fragments | RxPcapeth21 | 279
> defrag.ipv6.reassembled | RxPcapeth21 | 26
> defrag.ipv6.timeouts | RxPcapeth21 | 0
> defrag.max_frag_hits | RxPcapeth21 | 0
> tcp.sessions | Detect | 18145
> tcp.ssn_memcap_drop | Detect | 0
> tcp.pseudo | Detect | 15
> tcp.invalid_checksum | Detect | 606
> tcp.no_flow | Detect | 0
> tcp.reused_ssn | Detect | 0
> tcp.memuse | Detect | 12058624
> tcp.syn | Detect | 19130
> tcp.synack | Detect | 16282
> tcp.rst | Detect | 8280
> tcp.segment_memcap_drop | Detect | 0
> tcp.stream_depth_reached | Detect | 0
> tcp.reassembly_memuse | Detect | 11292544
> tcp.reassembly_gap | Detect | 26
> detect.alert | Detect | 0
> flow_mgr.closed_pruned | FlowManagerThread | 53074
> flow_mgr.new_pruned | FlowManagerThread | 25531
> flow_mgr.est_pruned | FlowManagerThread | 0
> flow.memuse | FlowManagerThread | 30216944
> flow.spare | FlowManagerThread | 10187
> flow.emerg_mode_entered | FlowManagerThread | 1
> flow.emerg_mode_over | FlowManagerThread | 1
> -------------------------------------------------------------------
>
> How do I figure out what is wrong?
>
> Russell
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list