[Oisf-users] Occasional burst of packet loss

Thu Nov 6 17:14:04 UTC 2014

I have a lot of RAM to work with (132GB). Besides tweaking libhtp, I've increased stream and flow buffers. In addition, I have two interfaces with 20 detection threads for each interface. Plus I have 20k ruleset. My memory consumption is big. It starts with around 80gb and grows to 105gb over time.I've been trying to tweak and tune my config but I dont want to have packet loss.
It seems that after increasing libhtp buffers, my alert count increased.
Date: Thu, 6 Nov 2014 18:07:26 +0100
From: michal at rsbac.org
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Occasional burst of packet loss

    body-limit 1GB? That's huge, isn't it? How does the performance look
    like?

    I'm running with something around 20MB+

    On 06/11/14 16:20, Yasha Zislin wrote:

      I've tried af-packet mode in the beginning and had
        a high packet loss. Most likely I didnt configure it right but
        I've gotten so used to PF_RING, I think I can make it work just
        have to tune suricata config.

        I've increased libhtp request-body-limit and
          response-body-limit values to 1gb. It seems to be holding up
          without any loss.
        I've also changed rx-usecs to 1. In addition, I've reduced
          pf_ring ring slots. So maybe this will just work. 

        Thanks for all of the information.

          > Date: Wed, 5 Nov 2014 09:30:13 -0800

            > From: cnelson at ucsd.edu

            > To: coolyasha at hotmail.com; petermanev at gmail.com

            > CC: oisf-users at lists.openinfosecfoundation.org

            > Subject: Re: [Oisf-users] Occasional burst of packet
            loss

            > 

            > -----BEGIN PGP SIGNED MESSAGE-----

            > Hash: SHA1

            > 

            > My config is a little different.

            > 

            > I'm running Suricata 2.1dev, built from the git
            sources. I usually

            > update it weekly.

            > 

            > I'm running af-packet/mmap mode; which has an option to
            set a socket

            > buffer per-thread.

            > 

            > In my case, increasing the socket buffer size resulted
            in less (but not

            > zero) packet drops during bursty traffic.

            > 

            > I also admit that I'm not familiar with the inner
            workings of PF_RING,

            > but it may be that the addition of a socket-buffer in
            af-packet/mmap

            > mode can mitigate packet drops due to periods of
            extremely high packet

            > rates. The linux kernerl and PF_RING are not magic and
            if anywhere in

            > the networking stack you are pushing packets faster
            than the relevant

            > FIFO can process them you will get packet drops.
            Buffered IO can

            > alleviate this to a certain extent.

            > 

            > So, if you have the time, I would suggest trying a test
            with the latest

            > git release, fresh kernel/drivers and af-packet/mmap
            mode with at least

            > a megabyte of socket buffers.

            > 

            > - -Coop

            > 

            > On 11/5/2014 7:28 AM, Yasha Zislin wrote:

            > > I am using latest Suricata release 2.0.4. BTW,
            I've had 2.0.1 version

            > > running recently and I had a drastic drop in
            number of alerts after like

            > > 5 hours of starting Suricata. 2.0.4 fixed that.

            > > 

            > > Actually, I managed to get pf_ring number of slots
            way higher than

            > > suggested default.

            > > I found out that maximum number for me was 400000.
            Originally during

            > > config tweaking, I've noticed that higher number
            of slots did improve

            > > packet loss. 

            > > Recently, I've started testing with lower number
            of slots (200000), same

            > > behavior as far as occasional burst of packet
            loss.

            > > 

            > 

            > - -- 

            > Cooper Nelson

            > Network Security Analyst

            > UCSD ACT Security Team

            > cnelson at ucsd.edu x41042

            > -----BEGIN PGP SIGNATURE-----

            > Version: GnuPG v2.0.17 (MingW32)

            > 

            >
            iQEcBAEBAgAGBQJUWl6lAAoJEKIFRYQsa8FW8WAH/0NN7NogZ4B+KlbQla4EBZOC

            >
            TBqv7IsjW7/tmS+u+k6VpRvP/1BbmMEdWbbOfz66uSaxFMMaZZFAC0PB9DXfROAL

            >
            njdOQiCrienEsJD5xhIZTjZ+Q+brv9WicUAr0YtLKZ25/Y9jPD/crXQ21aBWa+yp

            >
            IKIuhluclLBC0brd9nHGweKwd9BGc7e4NOUFu2gIGWVn3053OiZu1lyuqzrE3Fcw

            >
            FP0sUJ+afhO8COrND+jehHoVTuLRde0+wbCav1srq3EcMGuctOhKBbqhvJS9iF4n

            >
            +fvDTmeItxvZSOfDuMxyMfhT07Vt7GS4/T7EY+udaQhmiPTiJy1fkmuyAxTLtP0=

            > =DxQR

            > -----END PGP SIGNATURE-----

      _______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/ 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141106/8b236fee/attachment-0002.html>