[Oisf-users] Rule Sets

Cooper F. Nelson cnelson at ucsd.edu
Sat Mar 15 22:14:05 UTC 2014

Hash: SHA1

17k rules
16 cores
~5Gbit average

If I remember correctly, recommended sizing is 1 core per 50 mbit of

I'm "cheating" a bit by aggressively sampling IP traffic via BPF
filters.  If you want to try that I"ll suggest starting by sampling HTTP
traffic if you don't care about the body of the server response.

You can do that via this bpf filter expression:

> (not tcp port 80 or (tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))

Another thing to try is to run suricata without any rules to make sure
its processing packets/flows correctly.

- -Coop

On 3/14/2014 7:39 PM, Adnan Baykal wrote:
> Can you guys tell me how many rules are you loading into your Suricata
> Instance and what kind of hardware (CPU/Memory) and how much traffic are
> you monitoring?
> I have a 6 core single CPU with 16GB ram - if I am monitoring a 600MB/s
> throughput network, how many rules should I be able to load and process?
> my nic is not dropping a single packet, however, when I load about 13K
> rules, all the threads are 100% and suricata kernel packet drop goes over
> 50%. I am trying to figure out if it is my hardware setup or tuning of
> suricata that is the problem. (I am running PF_RING)
> any info and help is appreciated.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list