[Oisf-users] Suricata Myricom and 10Gbit

Michał Purzyński michalpurzynski1 at gmail.com
Mon Mar 31 23:47:38 UTC 2014 

                     SNF recv pkts:            328287934
                SNF drop ring full:                    0

OK. So. The data ring size is for all wokers, i.e. if I allocate 10GB than
I need just 10GB of physical memory. What made me think otherwise are tools
like top, htop, free -m. They actually show num_workers x data_ring_size =
crazy amount of memory I don't have. But because all workers map the same
physical memory it does not matter, because all I need is just a virtual
memory to handle the mapping and that's it.

Sending around 3.5Gbit/sec now (in peak, goes down to 2Gbit/sec) and
myricom says that suricata takes all the packets. Will debug the Suricata
performance later tomorrow, it's 2AM :-)


On Tue, Apr 1, 2014 at 1:23 AM, Michał Purzyński <michalpurzynski1 at gmail.com
> wrote:

> As for the decoder rules - I don't remember disabling them (where can I
> read more?).
>
> Suricata says.
>
> 31/3/2014 -- 18:29:38 - <Info> - 2441 signatures processed. 133 are
> IP-only rules, 611 are inspecting packet payload, 1554 inspect application
> layer, 0 are decoder event only
>
>
> On Tue, Apr 1, 2014 at 1:22 AM, Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> Argh, I've sent replies directly instead of the list, my apologies, Gmail
>> web interface isn't my native env.
>>
>> Anyway.
>>
>> There are around 4 cores busy most of the time and the rest floating.
>> There is nothing sitting at 100% all the time.
>>
>> I use the ETOpen rule set, testing ETPro is my next step.
>>
>> Enabled are (only)
>>
>> ET-emerging-worm
>> ET-emerging-snmp
>> ET-emerging-attack_response
>> ET-emerging-botcc.portgrouped
>> ET-emerging-botcc
>> ET-emerging-ciarmy
>> ET-emerging-current_events
>>
>> and also ET-emerging-chat without IRC
>>
>> How much memory do you have in your sensors? SNF_DATARING_SIZE = 32GB
>> times 16 is 512GB.
>>
>> Also, how do you start Suricata - I use the eth4 interface, is there any
>> difference with using the snf0?
>>
>>
>> On Mon, Mar 31, 2014 at 4:52 PM, Erich Lerch <erich.lerch at gmail.com>wrote:
>>
>>> Michał,
>>>
>>> We have a similar setup, also with the Myricom 10gb interface.
>>>
>>>
>>>
>
>
> --
> Michał Purzyński
>



-- 
Michał Purzyński
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140401/c29284f2/attachment-0002.html>

More information about the Oisf-users mailing list