[Oisf-users] getting started with suri -- tuning

Cooper F. Nelson cnelson at ucsd.edu
Sat Jul 27 14:30:40 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You probably don't have enough memory.  You want at least 2gigs per
core.  I would suggest trying running suri without signatures first to
see if it can even keep up with tracking flows.

You can also try adding these setting to sysctl.conf (make permanent
with sysctl -p)

> net.core.netdev_max_backlog = 1000000
> net.core.rmem_default = 1073741824
> net.core.rmem_max = 1073741824

- -Coop

On 7/26/2013 4:26 PM, Russell Fulton wrote:
> Hi
> 
> I now have suri running on my test sensor (ubuntu with suri from current security onion packages).  Machine has 16 cores and 8GB of memory and is seeing order or 800Mbps traffic.  Currently using Pcap while I get the pf_ring stuff sorted out.
> 
> Suri is reporting dropping 70% the packets.  I have used the config file that came with SO package — suitably tweaked for our setup.
> 
> Currently running the full ETPRO rule set.
> 
> here is a stats output:
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR89mQAAoJEKIFRYQsa8FWopIH/1JiAB/MO4sRiteF5fXDfFWl
vZVaXHF68/f3H58Q/jnzUccPhzeq7iW1PGGCwbnTCT1Gsd196IW4NLwDi4UlcTgf
5GviCnCd62zfaqPNbkKdRzZZRhhXLfUtYnQLIYvR1dUQkDF/NxxNQjD1TggXOsBR
G0ftYl2Tu0IOvfOOaMCp/+QS6ljKqj6kKYHgZnpHAUzRg76erSNtHByEa4GWDC00
8aehapEUnXrhpEaB0hW69f01ftT0eSwf9AxTHA8XXOJCr91CUOLLNVMU1VD+4hFK
UeZW9Xv1JoOYKcEAWWSY2pKez/92tfQ6SBhIIul7YcIOFDkNaEncyuPKzJOkXs8=
=GcvA
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list