[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

Peter Manev petermanev at gmail.com
Mon Jan 11 16:49:29 UTC 2016 

On Mon, Jan 11, 2016 at 5:16 PM, Jason Holmes <jholmes at psu.edu> wrote:
> Hi,
>
> I just wanted to give some feedback on the grouping code branch
> (dev-detect-grouping-v173).  I was running 3.0rc3 with:
>
> detect-engine:
>   - profile: custom
>   - custom-values:
>       toclient-src-groups: 200
>       toclient-dst-groups: 200
>       toclient-sp-groups: 200
>       toclient-dp-groups: 300
>       toserver-src-groups: 200
>       toserver-dst-groups: 400
>       toserver-sp-groups: 200
>       toserver-dp-groups: 250
>
> I tested dev-detect-grouping-v173 with:
>
> detect:
>   profile: custom
>   custom-values:
>     toclient-groups: 1000
>     toserver-groups: 1000
>
> (Actually, I had to hardcode this into src/detect-engine.c because the above
> syntax caused Suricata to crash when starting up.  I didn't dig into it
> enough to figure out why.)

I do not like that "hardcoding" part at all !

Please not there can be a problem because of spelling and indention.
Your config part should loo like this:

detect-engine:
  - profile: custom
  - custom-values:
      toclient-groups: 1000
      toserver-groups: 1000

not like this:

detect:
  profile: custom
  custom-values:
    toclient-groups: 1000
    toserver-groups: 1000



Can you please give it a try again and see if that was the problem?

Thanks

>
> The impetus for trying this was that adding additional rules to 3.0rc3
> caused packet loss to jump from <1% to ~25%.  The <1% on 3.0rc3 was using
> around 20,000 rules.  The 25% on 3.0rc3 was using around 30,000 rules.
>
> My observations (using 30,000 rules):
>
> 1. Startup time is greatly reduced.  With the above settings,
> dev-detect-v173 starts up in about 2.5 minutes.  3.0rc3 took about 5.5
> minutes.
>
> 2. Performance is significantly improved.  Packet loss dropped from ~25%
> with 3.0rc3 to <1% with dev-detect-v173.  I'm also able to push more traffic
> through the box and maintain <1%.  It's hard to quantify exactly since this
> is production traffic and it spikes and dips, but I'd say 25% more traffic
> would be a conservative estimate in increased throughput.
>
> I haven't had any stability issues that I wasn't already seeing in 3.0rc3.
> To me, the new grouping code branch seems like a fundamental improvement.
>
> Thanks,
>
> --
> Jason Holmes
>
>
> On 12/8/15 12:12 PM, Victor Julien wrote:
>>
>> On 04-12-15 18:03, Cooper F. Nelson wrote:
>>>
>>> We are running the grouping code branch as well, ~7gbit traffic
>>> and sampling port 80 flows.  Using groups of 1000.
>>>
>>> Performance so far is very good, currently running 27,568 ETPRO
>>> signatures.
>>
>>
>> How does it compare to your normal performance? Are you seeing
>> differences in memory use, drop rate, etc?
>>
>> Thanks,
>> Victor
>>
>>
>>> On 12/3/2015 4:56 PM, Michal Purzynski wrote:
>>>>
>>>> I kind of feel responsible here and should answer this question.
>>>
>>>
>>>> The grouping code branch will make it to Suricata post 3.0. Give.
>>>> The new release schedule, this should be quick.
>>>
>>>
>>>> I'm testing it on production traffic, more than 20gbit, two
>>>> sensors (peak, but frequent, long and crazy. Average is between 3
>>>> to 6gbit/sec).
>>>
>>>
>>>> In order to stress the code I run it with even more insane
>>>> settings, like this
>>>
>>>
>>>> detect-engine: - profile: custom - custom-values:
>>>> toclient-src-groups: 2000 toclient-dst-groups: 2000
>>>> toclient-sp-groups: 2000 toclient-dp-groups: 3000
>>>> toserver-src-groups: 2000 toserver-dst-groups: 4000
>>>> toserver-sp-groups: 2000 toserver-dp-groups: 2500 -
>>>> sgh-mpm-context: full - inspection-recursion-limit: 3000 -
>>>> rule-reload: true
>>>
>>>
>>>> Note - do not try this at home. Or work. It kills kittens on 2.x
>>>
>>>
>>>> And it just works on the new branch that's yet to be merged :)
>>>
>>>
>>>> Note - I have over 16500 rules now.
>>>
>>>
>>>
>>> _______________________________________________ Suricata IDS Users
>>> mailing list: oisf-users at openinfosecfoundation.org Site:
>>> http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/ List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>>
>>>
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list