[Oisf-users] Out of band 10Gb Suricata

Brian Hennigar bhennigar at gmail.com
Wed Oct 14 18:34:53 UTC 2015


Hey Cooper,
I turned off the rules and still seeing the same amount of drops.
What is your experience with CUDA?  Instead of upgrading the CPUs, would a
GPU be the easier/cheaper option to get the required performance?  I know
I'll need to find one that is supported by ESXi for the passthrough.

On Wed, Oct 14, 2015 at 2:43 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Have you tried running with no rules yet?  If you are dropping packets
> with no rules then your sensor is over-subscribed and you need more cores.
>
> We are running a 10Gb tap with 16 (hyper-threaded) cores and the only
> way this is possible for us is via extensive packet filtering.
>
> If you want to monitor a highly-used 10Gbit interface you really need at
> least 32 cores.  Many of the 10Gb cards don't support more than 16 cores
> (interrupts) per interface, so you may need to use a dual-interface and
> a load balancer to properly hash all the flows.
>
> - -Coop
>
> On 10/14/2015 10:34 AM, Brian Hennigar wrote:
> > Hi,
> > I'm testing using Suricata with 10Gb fiber with out of band span ports
> > (not inline) and have noticed a high volume of packet loss.  Are there
> > any best practices for using 10Gb when NOT inline?
> >
> > I'm testing, I'm using esxi 5.5 and a ubuntu 14.04 VM and vmxnet3
> > network adapters.  The vm has 64gb ram and 8 cores.  All offloading
> > options are disabled on the interface.
> >
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWHpROAAoJEKIFRYQsa8FWhPUIAIc9c+I+Z00Q+al9NjGqEZZg
> v0h3VyXEV6ju/ePghrSpY+ICBxhaZCBtvsJehWmX4Fob2GR+ab6dLBng/wlbVgXW
> Ig43Oi/TDge5feVh9Jw4pWmBCATvECSS6liKCJGf2eAFADhLV8jbmEjFw58TNa8W
> lLoAapKC8W1uhYRaIiG6dfMa9aHZDhyvUsUAni4iVlwexWwqMR35o0pIe88wFRda
> RB4ILsGlQEv4KRCJ2pH3cKvsyYvzAI1YnKmuJJhgSjsA9j0Lr2iAFYZjVZWQABLr
> I8SMnNM/E3cJuG02lc3WKoc9RQcMc3adE25a4FAFF+s4vo4uFxkpXY6dtr3kfC8=
> =5IVd
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151014/7ff7f611/attachment-0002.html>


More information about the Oisf-users mailing list