[Oisf-users] Utilizing NetMap-Suricata on FreeBSD
Oliver Humpage
oliver at watershed.co.uk
Thu Oct 29 10:43:23 UTC 2015
> On 28 Oct 2015, at 18:47, Shane Boissevain <shaneboissevain at gmail.com> wrote:
>
> I'm currently running a ruleset with 16 617 rules in it, and seeing my throughput drop from 3.2 Gb/s to 600 Mb/s with suricata running. Suricata is running in netmap mode (workers), and I'm thinking that i can get my throughput higher by putting it in autofp mode.
When the netmap code was first put into suricata it actually crashed if you used autofp. I think Alexei patched it so that at least it wouldn’t crash, but it’s definitely not optimised for it, nor recommended. Workers is the way to go.
600Mb sounds about right to me for a 16k ruleset, at least on “normal” hardware. But I stopped tweaking at around 500Mb because that was all I needed, so I’m not an authority on that. Hopefully someone else can offer some tweaks and advice.
Oliver.
More information about the Oisf-users
mailing list