[Oisf-users] Figuring out how many cpus to allocate

Cooper F. Nelson cnelson at ucsd.edu
Wed Oct 8 03:27:51 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What you probably want is "workers" runmode and then load balance flows
across all cores.  I've copied the most relevant bits from my
suricata.yaml.  Note that under worker mode you only have management and
detect threads.

> runmode: workers

> set-cpu-affinity: yes

>   cpu-affinity:
>     - management-cpu-set:
>         cpu: [ 0-15 ]  # include only these cpus in affinity settings
>         mode: "balanced"
>         prio:
>           default: "low"

>     - detect-cpu-set:
>         cpu: [ 0-15 ]
>         mode: "exclusive" # run detect threads in these cpus

> detect-thread-ratio: 1

The more cores you have, the less likely any one will be busy enough to
drop too many packets.

- -Coop

On 10/7/2014 8:13 PM, Russell Fulton wrote:
> 
> On 8/10/2014, at 4:07 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>
>> Also is there another way to stop suricata hogging all the CPU to the point where the kernel drops packets  — apart from adding more cores ;)
> 
> Discovered the answer with in seconds of hitting send.
> 
> detect-thread-ratio:
> 
> Doh!
> 
> R
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUNK83AAoJEKIFRYQsa8FWSE8H+waDjXmKcwvcyaMlhOD8/fXh
kv9OdF2GUkSmLEb7o1So5gnZFMVEGoIUBb5yobfcvgBo2Z837IxdBKwxc+Kq6haR
JR/xs4YIFoPSvWPuYlYw3FV3BRPLE7otMr0Pfz6f/TIy8vBTIGUqqif7F6nMfstS
/2ynPlIxwspYZNHJA4pN1qWdjOgma1NTLHrtnJM/ad4cT+CrjKrgXRTa3y0/uvSl
Sodk/WFWBw1AiFzjyRukwkep6kCDak/mi2THY5NtD8aY/f0QQG5d9PM62f08Lt6j
OF/AwtTW61EyKoy20Y3a/l2JEAUBMwP7yyFRQOdppyTR5xn+hSwR8kLIOE/7o1Q=
=O2ju
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list