[Oisf-users] modding config to make IPS faster
Chris Boley
ilgtech75 at gmail.com
Wed Apr 27 13:28:47 UTC 2016
This thread is two weeks old but I wanted to get back to the group on where
I landed with hyperscan and setting up my platform with more RAM.
First off I've got a 25 megabit metro E internet connection at work. Again,
my hardware platform was a mainboard with 4 physical 64bit atom based cores
running 2.41 ghz and 32 gb of RAM.
After compiling hyperscan on ubuntu 14.04 and running suricata in IPS mode
across a bridge scanning a dot1q trunk link like so:
suricata -q 0 -q 1 -q 2 -q 3 -D --set mpm-algo=hs -c
/etc/suricata/suricata.yaml
I was able to easily get 25 megabits of download speed (the maximum the
link offered) and 12 megabit upstream speed. I'm not sure why I was limited
on the upstream side. I could have been somewhat of a duplexing issue
buried somewhere in my test rig. My cpu usage barely went up at all while
viewing HTOP. I had set my .yaml to look like:
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
dcerpc:
enabled: yes
ftp:
enabled: yes
ssh:
enabled: yes
smtp:
enabled: yes
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
threading:
detect-thread-ratio: 1.5
defrag:
memcap: 1024mb
max-frags: 65535
hash-size: 65536
trackers: 65535
prealloc: yes
timeout: 30
flow:
memcap: 2048mb
hash-size: 1048576
Prealloc: 1048576
flow-timeouts:
default:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
stream:
memcap: 8gb
checksum-validation: no
prealloc-sessions: 500000
midstream: true
async-oneside: true
inline: yes
reassembly:
memcap: 10gb
depth: 64mb
toserver-chunk-size: 5120
toclient-chunk-size: 5120
It worked really well albeit I am thinking that some of these values are a
bit outlandish for such a small install. Thanks to (pevma.blogspot.se) for
some general guidance on setting values up. I really appreciated that level
of detail and sharing of information. Thanks for contributing that to the
suricata community! Thanks to Coop for suggesting hyperscan. It was a bear
to build it out because the instructions on "redmine" can get you led
astray if you're not careful. If anyone has trouble manually building
hyperscan on ubuntu server 14.04, message me separately. I can provide
build install instructions that are step by step no brainer...
Chris Boley
On Apr 11, 2016 11:41 AM, "Cooper F. Nelson" <cnelson at ucsd.edu> wrote:
> Couple things to try.
>
> 1. Test out the Hyperscan build. It should work well on the Atom, as
> SSE instructions are supported.
>
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan
>
>
>
> -Coop
>
> On 4/10/2016 8:35 AM, Chris Boley wrote:
> > My objective is to ignore intra site traffic completely while scanning
> all
> > traffic between the wan
> > and the local LAN. I'm using a somewhat underpowered server out of
> > necessity.
>
>
> --
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160427/d352e5dd/attachment-0002.html>
More information about the Oisf-users
mailing list