[Oisf-users] Out of band 10Gb Suricata
Cooper F. Nelson
cnelson at ucsd.edu
Wed Oct 14 17:43:42 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have you tried running with no rules yet? If you are dropping packets
with no rules then your sensor is over-subscribed and you need more cores.
We are running a 10Gb tap with 16 (hyper-threaded) cores and the only
way this is possible for us is via extensive packet filtering.
If you want to monitor a highly-used 10Gbit interface you really need at
least 32 cores. Many of the 10Gb cards don't support more than 16 cores
(interrupts) per interface, so you may need to use a dual-interface and
a load balancer to properly hash all the flows.
- -Coop
On 10/14/2015 10:34 AM, Brian Hennigar wrote:
> Hi,
> I'm testing using Suricata with 10Gb fiber with out of band span ports
> (not inline) and have noticed a high volume of packet loss. Are there
> any best practices for using 10Gb when NOT inline?
>
> I'm testing, I'm using esxi 5.5 and a ubuntu 14.04 VM and vmxnet3
> network adapters. The vm has 64gb ram and 8 cores. All offloading
> options are disabled on the interface.
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWHpROAAoJEKIFRYQsa8FWhPUIAIc9c+I+Z00Q+al9NjGqEZZg
v0h3VyXEV6ju/ePghrSpY+ICBxhaZCBtvsJehWmX4Fob2GR+ab6dLBng/wlbVgXW
Ig43Oi/TDge5feVh9Jw4pWmBCATvECSS6liKCJGf2eAFADhLV8jbmEjFw58TNa8W
lLoAapKC8W1uhYRaIiG6dfMa9aHZDhyvUsUAni4iVlwexWwqMR35o0pIe88wFRda
RB4ILsGlQEv4KRCJ2pH3cKvsyYvzAI1YnKmuJJhgSjsA9j0Lr2iAFYZjVZWQABLr
I8SMnNM/E3cJuG02lc3WKoc9RQcMc3adE25a4FAFF+s4vo4uFxkpXY6dtr3kfC8=
=5IVd
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list