[Oisf-users] High ICMP Ping Latency in Workers Runmode
Peter Fyon
peter.fyon at gmail.com
Sat Feb 4 23:08:46 UTC 2017
user at suricata:~$ uname -a
Linux suricata 3.16.0-77-generic #99~14.04.1-Ubuntu SMP Tue Jun 28 19:17:10
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Command line:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pid file
/var/run/suricata.pid --af-packet -D -vvv
Server specs:
Intel g3258 cpu (2 cores @ 3.2ghz)
8gb ram
Some cheap Realtek gigabit nics for capture, onboard nic for management
Relevant to capture portions of suricata.yaml:
af-packet:
- interface: p5p1
copy-iface: p6p1
cluster-id: 98
threads: auto
use-mmap: yes
rollover: yes
tpacket-v3: yes
block-size: 32768
copy-mode: ips
buffer-size: 64535
cluster-type: cluster_flow
defrag: yes
- interface: p6p1
copy-iface: p5p1
cluster-id: 97
threads: auto
use-mmap: yes
rollover: yes
tpacket-v3: yes
block-size: 32768
copy-mode: ips
buffer-size: 64535
cluster-type: cluster_flow
defrag: yes
- interface: default
threads: auto
use-mmap: yes
rollover: yes
tpacket-v3: yes
block-size: 32768
copy-mode: ips
buffer-size: 64535
cluster-type: cluster_flow
defrag: yes
App-layer section
http:
enabled: yes
memcap: 512mb
libhtp:
default-config:
personality: IDS
request-body-limit: 1gb
response-body-limit: 1gb
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
response-body-decompress-layer-limit: 2
http-body-inline: auto
double-decode-path: no
double-decode-query: no
host-mode: auto
max-pending-packets: 2048
runmode: workers
defrag:
memcap: 128mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 128mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
stream:
memcap: 128mb
checksum-validation: yes # reject wrong csums
inline: yes # auto will use inline mode in IPS mode, yes
or no set it statically
reassembly:
memcap: 256mb
depth: 0 # reassemble 1mb into a stream
toserver-chunk-size 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
A lot of those config settings were copied over from my old 3.0 config.
Peter
On Feb 4, 2017 5:10 PM, "Andreas Herz" <andi at geekosphere.org> wrote:
On 04/02/17 at 16:59, Peter Fyon wrote:
> Yes, IPS mode inline using af-packet, Ubuntu 14.04.
How do you run it exactly? Paste the command line please.
Also add relevant sections you changed/added to the config.
Also the hardware specs and network infos.
What kernel is used?
> Peter
>
> On Feb 4, 2017 4:57 PM, "Andreas Herz" <andi at geekosphere.org> wrote:
>
> On 04/02/17 at 16:47, Peter Fyon wrote:
> > When I was running 3.0, I was using workers runmode with few issues. I
> > upgraded to 3.2 this week and my ping times went from ~ 30ms to
> ~150-200ms.
>
> How do you run suricata and on what system?
> Since you see latency issues I would guess IPS mode but there are some
> :)
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170204/e6488856/attachment-0002.html>
More information about the Oisf-users
mailing list