[Oisf-users] 20Gbps - is it possible?!

Peter Manev petermanev at gmail.com
Thu Mar 17 13:56:06 UTC 2016 

On Tue, Mar 15, 2016 at 2:55 PM, Matthew George <mattg210778 at gmail.com> wrote:
> Hi Peter,
>
> Thanks for the assistance!
>
> General mix of ISP traffic. Started off with the full ET Pro ruleset, what
> would you recommend dropping or as a good   resource for tuning the ET Pro
> ruleset?

Ok - in general - you can try starting with 0 rules loaded see if you
still experience drops and build up from there.

>
> 3.0 was not available when we integrated card but we will port over soon.

generally is it a lot of trouble to port over?

>
> Yes the implementation/delivery is good for 40Gbps!

ok good.

>
> Thanks,
>
> Matt
>
>
> On Tuesday, 15 March 2016, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Tue, Mar 15, 2016 at 5:11 AM, Matthew George <mattg210778 at gmail.com>
>> wrote:
>> > Dear Suricata users - please help,
>> >
>> > I am interested in getting Suricata running to rates up to and over
>> > 20Gbps.
>> >
>>
>> What type of traffic and rules?
>>
>> > We are using a fairly impressive server spec i.e. 20 cores and 128GB ram
>> > etc.
>> > I also have a signature offload card spliced into the bottom of our
>> > modified
>> > Suricata (based on 2.0.9) giving about a 20-30% reduction in CPU per
>> > worker
>> > thread without any negative impacts on alerts. The card also does 0 copy
>> > DMA
>> > and load sharing to 16 worker cores via a proprietary implementation not
>> > that dissimilar from PF_RING.
>>
>> I would start here -
>> - 2.0.9 is not supported. There were a number of serious improvements
>> reflected in 3.0
>> - is the the modified/proprietary implementation capable of 20Gbps and
>> above?
>>
>>
>> >
>> > The throughput on the system however when running the full ET Pro
>> > ruleset is
>> > no where near what we'd like or it appears what you guys are getting so
>> > my
>> > questions is what are we doing wrong?
>> >
>> > Should we use a different code base, a bigger server or tune the rules?
>> >
>>
>> - for code base later/stable is always recommended
>> - before you go to a bigger server make sure you have the best out of
>> what you have -> based on type of traffic and rules loaded/needed.
>>
>> > Any help would be greatly appreciated,
>> >
>> > Matt
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 9-11 in Washington, DC:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list