[Oisf-users] [Discussion] Suricata Performance Tuning (kernel_drops very high)

Barkley, Joey Joey.Barkley at ingramcontent.com
Thu Jan 15 19:05:37 UTC 2015 

Just wanted to let everyone know that I appreciate all the help you’ve given me so far. I updated our ids box with a 3.10 kernel and put in all the suggestions mentioned before. Once I did that, kernel drops went down significantly.

I am now in the process of building up a new system and will post back with the results after I install everything and test it. Once again, many thanks to everyone.


On Jan 13, 2015, at 2:15 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I use workers mode with AF_PACKET, based on this guide:

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

Be sure to disable all off-loading features on your 10G nic (this is
absolutely critical).  Also, make sure you have the freshest kernel
available.

This is my af-packet config:

af-packet:
 - interface: eth2
   threads: 16
   cluster-id: 99
   cluster-type: cluster_flow
   defrag: yes
   use-mmap: yes
   ring-size: 500000
   use-emergency-flush: yes
   buffer-size: 1048576
   checksum-checks: kernel


You should be using 32 threads, one per CPU as per this configuration:

threading:
 set-cpu-affinity: yes
 cpu-affinity:
   - management-cpu-set:
       cpu: [ 0-31 ]  # include only these cpus in affinity settings
       mode: "balanced"
       prio:
         default: "low"
   - detect-cpu-set:
       cpu: [ 0-31 ]
       mode: "exclusive" # run detect threads in these cpus
       prio:
         default: "high"
 detect-thread-ratio: 1

Kernel packet drops for us are under %1.  I also have an aggressive bpf
filter I can share with you off-list if you are interested in further
improving your performance.

- -Coop

On 1/13/2015 12:01 PM, Barkley, Joey wrote:
Ok. Thanks for the suggestions. I had taken it out of workers mode as
I read that was for pf_ring and I'm using af_packet. I'll try these
suggestions and report back.

I am on centos 6. Not positive of exact kernel version (not at my
desk to check) but it would be whatever was available via public yum
repos about a month ago. Just took over this project and am learning
as I go.

It is possible there are capture problems on that port. I'll check
with our network engineers and see what they say about the
configuration.

Thanks,

Joey

On Jan 13, 2015, at 12:14 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>>
wrote:

+1 for using the 'workers' runmode and using bpf filters to sample
traffic.

Also, run it without any rules or logging enabled until you figure
out where your performance issues are.

-Coop



- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu<mailto:cnelson at ucsd.edu> x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUtXzUAAoJEKIFRYQsa8FWHpMIAIEMPICXzhARD8WT4m7X0lBH
mBxhCkwsXNADPU97TXMG687agrvCTTBzF/OeOGnKhm7/kHI40YL3Ut022OWTNvbj
bQGOHojZ9SUEg8kSmljGkDAovYhi4VsF2rV8RBiie50CSxwTxH2D3n4rFt12biTT
X3KjIAS353Px4ewPmc8PH0Mt4dhszOqjE0cCAOyPJMH/imyYset+phgoEQddNm0r
muqwc+b9r3JceQoRj6RCLzbfZZYC9L/eWNipwNlwTJZxihvZNjwUgBBOXiFcWfpI
ViC5zdXgCvIQh1xiMqgKpbeiOhIKrJ+iEhJn1IV8Gzyxk6bzr2j0aZBqT8iIC+Y=
=ozy/
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150115/e766e7c9/attachment-0002.html>

More information about the Oisf-users mailing list