[Oisf-users] 20Gbps - is it possible?!

Peter Manev petermanev at gmail.com
Tue Mar 15 15:55:58 UTC 2016


On Tue, Mar 15, 2016 at 5:11 AM, Matthew George <mattg210778 at gmail.com> wrote:
> Dear Suricata users - please help,
>
> I am interested in getting Suricata running to rates up to and over 20Gbps.
>

What type of traffic and rules?

> We are using a fairly impressive server spec i.e. 20 cores and 128GB ram
> etc.
> I also have a signature offload card spliced into the bottom of our modified
> Suricata (based on 2.0.9) giving about a 20-30% reduction in CPU per worker
> thread without any negative impacts on alerts. The card also does 0 copy DMA
> and load sharing to 16 worker cores via a proprietary implementation not
> that dissimilar from PF_RING.

I would start here -
- 2.0.9 is not supported. There were a number of serious improvements
reflected in 3.0
- is the the modified/proprietary implementation capable of 20Gbps and above?


>
> The throughput on the system however when running the full ET Pro ruleset is
> no where near what we'd like or it appears what you guys are getting so my
> questions is what are we doing wrong?
>
> Should we use a different code base, a bigger server or tune the rules?
>

- for code base later/stable is always recommended
- before you go to a bigger server make sure you have the best out of
what you have -> based on type of traffic and rules loaded/needed.

> Any help would be greatly appreciated,
>
> Matt
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list