[Oisf-users] [Discussion] Suricata Performance Tuning (kernel_drops very high)
Barkley, Joey
Joey.Barkley at ingramcontent.com
Thu Jan 15 19:05:37 UTC 2015
Just wanted to let everyone know that I appreciate all the help you’ve given me so far. I updated our ids box with a 3.10 kernel and put in all the suggestions mentioned before. Once I did that, kernel drops went down significantly.
I am now in the process of building up a new system and will post back with the results after I install everything and test it. Once again, many thanks to everyone.
On Jan 13, 2015, at 2:15 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I use workers mode with AF_PACKET, based on this guide:
https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
Be sure to disable all off-loading features on your 10G nic (this is
absolutely critical). Also, make sure you have the freshest kernel
available.
This is my af-packet config:
af-packet:
- interface: eth2
threads: 16
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 500000
use-emergency-flush: yes
buffer-size: 1048576
checksum-checks: kernel
You should be using 32 threads, one per CPU as per this configuration:
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [ 0-31 ] # include only these cpus in affinity settings
mode: "balanced"
prio:
default: "low"
- detect-cpu-set:
cpu: [ 0-31 ]
mode: "exclusive" # run detect threads in these cpus
prio:
default: "high"
detect-thread-ratio: 1
Kernel packet drops for us are under %1. I also have an aggressive bpf
filter I can share with you off-list if you are interested in further
improving your performance.
- -Coop
On 1/13/2015 12:01 PM, Barkley, Joey wrote:
Ok. Thanks for the suggestions. I had taken it out of workers mode as
I read that was for pf_ring and I'm using af_packet. I'll try these
suggestions and report back.
I am on centos 6. Not positive of exact kernel version (not at my
desk to check) but it would be whatever was available via public yum
repos about a month ago. Just took over this project and am learning
as I go.
It is possible there are capture problems on that port. I'll check
with our network engineers and see what they say about the
configuration.
Thanks,
Joey
On Jan 13, 2015, at 12:14 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>>
wrote:
+1 for using the 'workers' runmode and using bpf filters to sample
traffic.
Also, run it without any rules or logging enabled until you figure
out where your performance issues are.
-Coop
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu<mailto:cnelson at ucsd.edu> x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUtXzUAAoJEKIFRYQsa8FWHpMIAIEMPICXzhARD8WT4m7X0lBH
mBxhCkwsXNADPU97TXMG687agrvCTTBzF/OeOGnKhm7/kHI40YL3Ut022OWTNvbj
bQGOHojZ9SUEg8kSmljGkDAovYhi4VsF2rV8RBiie50CSxwTxH2D3n4rFt12biTT
X3KjIAS353Px4ewPmc8PH0Mt4dhszOqjE0cCAOyPJMH/imyYset+phgoEQddNm0r
muqwc+b9r3JceQoRj6RCLzbfZZYC9L/eWNipwNlwTJZxihvZNjwUgBBOXiFcWfpI
ViC5zdXgCvIQh1xiMqgKpbeiOhIKrJ+iEhJn1IV8Gzyxk6bzr2j0aZBqT8iIC+Y=
=ozy/
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150115/e766e7c9/attachment-0002.html>
More information about the Oisf-users
mailing list