[Oisf-users] IPS advice wanted
David Nadle
david at nadle.com
Tue Aug 12 14:13:19 UTC 2014
I'm running Suricata in inline mode on a small Centos-6.5 server with an 8-core Atom processor and 16 GB of RAM. This is to protect a small home office / residence.
I started out running in workers mode. Unfortunately I haven't been able to get the NFQUEUE -queue-balance to work with the Centos 6.5 kernel. It sends everything to queue zero. So I created forwading rules that send the inbound traffic to queue 0 and the outbound to queue 1.
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 0
-A FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-num 1
This seemed to work ok but it means I have just two threads running. I also had to have my VOIP phone bypass the queue. Too many dropouts.
I'm currently trying autofp mode with a single queue, (14 processing threads, 3 management threads) and even though I've set memcap values very generously I see nonzero tcp.reassembly_gap, I'm also seeing some buffering issues with video streaming services like Netflix. While this load is going on the server CPU and RAM are not especially taxed. There's lots of idle percentage and lots of RAM free.
What should I try next? Should I go back to workers mode? I thought about splitting into 4 queues by inbound/outbound, tcp/other. Should I have video streaming clients bypass the IPS as well?
Thanks in advance,
David Nadle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140812/e47505fa/attachment.html>
More information about the Oisf-users
mailing list