[Oisf-users] af_packet vs pfring

Peter Manev petermanev at gmail.com
Mon Jul 29 13:43:17 UTC 2013 

On 29 jul 2013, at 14:29, Peter Bates <peter.bates at ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hello all
> 
> On 29/07/2013 14:04, Peter Manev wrote:
>>> That is a loaded question. There are numerous dependencies - what type of traffic is predominant  , what type of HW, how much traffic , how much HW resources are available , how many rules, which rule set (VRT/ET/ETPro) ....
> 
> I have between 3-4Gbps of traffic, 32 cores, 64Gb of RAM
> and was testing with no rules.
> However possibly the 'out of the box' suricata.yaml is not tuned/tweaked
> to our requirements.

Most likely.(kernel 3.2 and above)
I would try , just to begin with:

-afpacket , max pending packets-200K
-32 threads
-prealloc sessions-1mil
-mpm context "full"
That alone above- would be about 15-17 GB of ram right away , I think.

Then test pfring

Make sure you run the latest net card drivers.

Just my suggestion.


> 
> I'll revisit this shortly - in the meantime is it more sensible to 
> be testing against the stable 1.4.x branch or 2.x/GIT?

I would suggest 1.4.5 for production.


> 
> - -- 
> Peter Bates
> Senior Information Security Officer   Phone: +44(0)2076792049
> Information Services Division          Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJR9m40AAoJELhVoVpEMS6RlQoH/3FE1RkikQqnu/th7dPah5Ah
> fLxMQT3ZnkIMRVTBJ2NrLwsR54HtgdWuWjWjmkM5iM+T4SmlnZqEehmAhFr4IwP5
> mSMbru+OV91KpfTpBI8bjcL4etEthOPoifXB/MJpxhgdSiJ+TKNBsed7wX88AOqg
> sfQuwaY83Ry+aDTgnUbQjkMVvEpBDKDsVXJ2XFtzuM3uPDZ1/ESQHTORGcLq8qTb
> pMlXPM5ZOdhtwR5za0qKlT/CN+c/IZw9e5FWmJCWOfGshbkvbqqsD/Xrh6POITka
> iPXgavs9H7KC8ipD2Kjuc6rk8sA15OBBd61qxoVRO/xyi106oL5As7GhE83Ird4=
> =XJsy
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list