[Oisf-users] Moving from Suricata 2.0.x to 3.0RC1
Gary Faulkner
gfaulkner.nsm at gmail.com
Tue Dec 1 20:01:19 UTC 2015
Hello,
I'm looking to give Suricata 3.0RC1 a try, but will be moving from
2.0.6. I recall when I migrated sensors from 1.4.7 to 2.0.x there were
some fairly significant changes to the configuration and performance
characteristics and so I'm wondering if there is anything to be aware of
when attempting to migrate to 3.0RC1. I'm currently running Suricata
with PF_RING using DNA IXGBE drivers (Intel 10Gbps NICS), in workers
mode with ET Pro rules (20K) on RHEL 6.6 and moving to RHEL 6.7. I
hadn't made the jump to PF_RING ZC yet, but could do so, I just seem to
remember there being some bugs being worked on previously and stuck with
DNA. I understand a lot has changed in terms of added features. I'm
mostly looking to see if I'm likely to need to make significant changes
to in terms of configuration, need to rethink hardware, PF_RING usage
etc. An example might be if Suricata needed more memory due to new
features, code changes, needed some special work-around etc. Looking at
running 10-20Gbps of traffic through a couple Dell R720s (16/32 2.6Ghz
cores/threads each and 64G RAM) running about 30 workers each. I have a
server I can run a copy of some production traffic through for testing.
Regards,
Gary
More information about the Oisf-users
mailing list