[Oisf-users] [Discussion] Suricata Performance Tuning (kernel_drops very high)

Barkley, Joey Joey.Barkley at ingramcontent.com
Tue Jan 13 20:01:46 UTC 2015

Ok. Thanks for the suggestions. I had taken it out of workers mode as I read that was for pf_ring and I'm using af_packet. I'll try these suggestions and report back. 

I am on centos 6. Not positive of exact kernel version (not at my desk to check) but it would be whatever was available via public yum repos about a month ago. Just took over this project and am learning as I go. 

It is possible there are capture problems on that port. I'll check with our network engineers and see what they say about the configuration. 



> On Jan 13, 2015, at 12:14 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> +1 for using the 'workers' runmode and using bpf filters to sample traffic.
> Also, run it without any rules or logging enabled until you figure out
> where your performance issues are.
> - -Coop
>> On 1/13/2015 5:44 AM, Jay M. wrote:
>> Also suggest looking into testing a good bpf filter to cull down on
>> noisy and irrelevant traffic for that kind of volume.
>> Curious which distro / kernel are you using?
>> --
>> Jay
>> jskier at gmail.com
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> ExtIqutMGHdVx4E7xxUL4wmcgd00BMYK2EUwKWeMROZ3dONYGFdI0nusEBy3nI5K
> KQy8P9PDLZ0f3XVyu29K8ro/1I8ssGTbpdOqesClq07I/tDQrJb09oAQh0tg3+v7
> ksg6cSdHk0cGIMxY5l6ieXTG1azMNaQCWDGTNyqi4WhG5YY0ZAhwGkrxx9xmK1Ot
> gTm4duQS3qy20TkCn5td6JQl6yKsa81vV/n4GNWM1UdoX7WHBdaKnsYvUETxxFut
> XDx8/o+EZLDg+fr5E9GmYgqsNF1sJKW/Q8umrJpFgUpObfXT9cWTaxvpMvczoQA=
> =aFpo
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

More information about the Oisf-users mailing list