[Oisf-users] Help with good configuration for Suricata install with Napatech card

Stephen Castellarin castle1126 at yahoo.com
Tue Oct 13 17:59:47 UTC 2015 

Hi Victor,
I'm trying to understand what you meant by making "sure all packets from a flow are delivered to the same Suricata thread".
Right now I'm looking at the /proc/interrupts and it shows that CPU 1 is handling the interrupts for the Napatech card (based on lscpu NUMA node 1 is handling CPUs 1,3,5,7,9,11,13,15,17,19).  I've set the Napatech card to assign its HostBuffersRx to NUMA node 1.  Would it be wise to set the CPU affinity for receive, decode and stream-cpu-set to all the CPUs on NUMA node 1?  And if so, then should I assign the detect-cpu-set to the other CPUs on NUMA node 0?

Steve 


     On Friday, October 9, 2015 12:01 PM, Victor Julien <lists at inliniac.net> wrote:
   

 On 09-10-15 17:15, Stephen Castellarin wrote:
> Yes there still is progress to make.  Looking at CPU utilization through
> SAR, for today I'm seeing an average of 88.86 %idle, so they're not
> being overworked.  As far as memory consumption, stats are showing I'm
> using roughly 50gb of 128gb available.  So I know I have plenty of
> breathing room from the hardware's perspective.

One thing to check is how the card does the traffic distributions. You
need to make sure all packets from a flow are delivered to the same
Suricata thread. IIRC napatech cards give you a lot of control there.

Cheers,
Victor


> To your point about the rules, I know I've stripped down a whole bunch
> of the ETPRO rules - only sticking with the exploit, malware, scan,
> trojan, current_events, web_server and web_specific_apps rules.  The
> largest number of rules from that list are in the trojan.rules (~9763),
> web_specific_apps.rules (~5603) and current_events.rules(~2505).  When I
> cut down to that list of rule files from the full ETPRO rule list that
> definitely cut out unnecessary stuff for us.  It's going to be real
> tough to dig through the remainder to see what is pertinent to us and
> what isn't.
> 
> 
> 
> On Friday, October 9, 2015 10:32 AM, Rob MacGregor
> <rob.macgregor at gmail.com> wrote:
> 
> 
> On Fri, Oct 9, 2015 at 3:05 PM Stephen Castellarin <castle1126 at yahoo.com
> <mailto:castle1126 at yahoo.com>> wrote:
> 
>    Sorry for the quick reply yeaterday, I forgot to hit Reply All.
> 
>    As for the tuning, I know my current, underpowered Suricata system
>    is missing events, as is my new hardware/configuration.  I base this
>    on some attack traffic I saw from one IP yesterday.  
> 
>    So our configuration is a front end router feeding an inline IPS
>    which then is tapped - one tap to my old Suricata system and the
>    second to my new Suricata system.  From a full take packet capture I
>    see 45 attempts to issue malicious POST attempts to a webserver we
>    have.  My original Suricata system triggered on 10 of those while my
>    new Suricata triggered on 15.  I then took the pcap I extracted and
>    ran it through Suricata on the new system and that system showed it
>    trigger on all 45.  So that's giving me a feeling that I'm not
>    tuning something correct - causing the running Suricata to miss things.
> 
> 
> So, things are improving but there's still progress to make?
> 
> I'd look at things like CPU and RAM usage - are you maxing out your
> CPUs/RAM?
> 
> Also, really look at those rules, are they really all relevant to your
> network? Also, if you strip it down to just the rules that'd catch those
> POST attempts, does it fire for every event?
> 
> -- 
>  Rob 
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151013/c7990c3f/attachment-0002.html>

More information about the Oisf-users mailing list