[Oisf-users] [Discussion] Suricata Performance Tuning (kernel_drops very high)
Barkley, Joey
Joey.Barkley at ingramcontent.com
Tue Jan 13 20:01:46 UTC 2015
Ok. Thanks for the suggestions. I had taken it out of workers mode as I read that was for pf_ring and I'm using af_packet. I'll try these suggestions and report back.
I am on centos 6. Not positive of exact kernel version (not at my desk to check) but it would be whatever was available via public yum repos about a month ago. Just took over this project and am learning as I go.
It is possible there are capture problems on that port. I'll check with our network engineers and see what they say about the configuration.
Thanks,
Joey
> On Jan 13, 2015, at 12:14 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> +1 for using the 'workers' runmode and using bpf filters to sample traffic.
>
> Also, run it without any rules or logging enabled until you figure out
> where your performance issues are.
>
> - -Coop
>
>> On 1/13/2015 5:44 AM, Jay M. wrote:
>> Also suggest looking into testing a good bpf filter to cull down on
>> noisy and irrelevant traffic for that kind of volume.
>>
>> Curious which distro / kernel are you using?
>> --
>> Jay
>> jskier at gmail.com
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJUtWBgAAoJEKIFRYQsa8FWhKUH/3IB451sZy73R8r4yGwu5Kp0
> ExtIqutMGHdVx4E7xxUL4wmcgd00BMYK2EUwKWeMROZ3dONYGFdI0nusEBy3nI5K
> KQy8P9PDLZ0f3XVyu29K8ro/1I8ssGTbpdOqesClq07I/tDQrJb09oAQh0tg3+v7
> ksg6cSdHk0cGIMxY5l6ieXTG1azMNaQCWDGTNyqi4WhG5YY0ZAhwGkrxx9xmK1Ot
> gTm4duQS3qy20TkCn5td6JQl6yKsa81vV/n4GNWM1UdoX7WHBdaKnsYvUETxxFut
> XDx8/o+EZLDg+fr5E9GmYgqsNF1sJKW/Q8umrJpFgUpObfXT9cWTaxvpMvczoQA=
> =aFpo
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
More information about the Oisf-users
mailing list