[Oisf-users] 20Gbps - is it possible?!

Matthew George mattg210778 at gmail.com
Tue Mar 15 21:55:20 UTC 2016


Hi Peter,

Thanks for the assistance!

General mix of ISP traffic. Started off with the full ET Pro ruleset, what
would you recommend dropping or as a good   resource for tuning the ET Pro
ruleset?

3.0 was not available when we integrated card but we will port over soon.

Yes the implementation/delivery is good for 40Gbps!

Thanks,

Matt

On Tuesday, 15 March 2016, Peter Manev <petermanev at gmail.com> wrote:

> On Tue, Mar 15, 2016 at 5:11 AM, Matthew George <mattg210778 at gmail.com
> <javascript:;>> wrote:
> > Dear Suricata users - please help,
> >
> > I am interested in getting Suricata running to rates up to and over
> 20Gbps.
> >
>
> What type of traffic and rules?
>
> > We are using a fairly impressive server spec i.e. 20 cores and 128GB ram
> > etc.
> > I also have a signature offload card spliced into the bottom of our
> modified
> > Suricata (based on 2.0.9) giving about a 20-30% reduction in CPU per
> worker
> > thread without any negative impacts on alerts. The card also does 0 copy
> DMA
> > and load sharing to 16 worker cores via a proprietary implementation not
> > that dissimilar from PF_RING.
>
> I would start here -
> - 2.0.9 is not supported. There were a number of serious improvements
> reflected in 3.0
> - is the the modified/proprietary implementation capable of 20Gbps and
> above?
>
>
> >
> > The throughput on the system however when running the full ET Pro
> ruleset is
> > no where near what we'd like or it appears what you guys are getting so
> my
> > questions is what are we doing wrong?
> >
> > Should we use a different code base, a bigger server or tune the rules?
> >
>
> - for code base later/stable is always recommended
> - before you go to a bigger server make sure you have the best out of
> what you have -> based on type of traffic and rules loaded/needed.
>
> > Any help would be greatly appreciated,
> >
> > Matt
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> <javascript:;>
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160315/391c71c2/attachment-0002.html>


More information about the Oisf-users mailing list