[Oisf-users] High ICMP Ping Latency in Workers Runmode

Peter Fyon peter.fyon at gmail.com
Sat Feb 4 23:08:46 UTC 2017


user at suricata:~$ uname -a

Linux suricata 3.16.0-77-generic #99~14.04.1-Ubuntu SMP Tue Jun 28 19:17:10
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Command line:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pid file
/var/run/suricata.pid --af-packet -D -vvv

Server specs:
Intel g3258 cpu (2 cores @ 3.2ghz)
8gb ram
Some cheap Realtek gigabit nics for capture, onboard nic for management

Relevant to capture portions of suricata.yaml:
af-packet:

  - interface: p5p1

    copy-iface: p6p1

    cluster-id: 98

    threads: auto

    use-mmap: yes

    rollover: yes

    tpacket-v3: yes

    block-size: 32768

    copy-mode: ips

    buffer-size: 64535

    cluster-type: cluster_flow

    defrag: yes

  - interface: p6p1

    copy-iface: p5p1

    cluster-id: 97

    threads: auto

    use-mmap: yes

    rollover: yes

    tpacket-v3: yes

    block-size: 32768

    copy-mode: ips

    buffer-size: 64535

    cluster-type: cluster_flow

    defrag: yes

  - interface: default

    threads: auto

    use-mmap: yes

    rollover: yes

    tpacket-v3: yes

    block-size: 32768

    copy-mode: ips

    buffer-size: 64535

    cluster-type: cluster_flow

    defrag: yes


App-layer section
   http:

      enabled: yes

      memcap: 512mb

      libhtp:

         default-config:

           personality: IDS

           request-body-limit: 1gb

           response-body-limit: 1gb

           request-body-minimal-inspect-size: 32kb

           request-body-inspect-window: 4kb

           response-body-minimal-inspect-size: 40kb

           response-body-inspect-window: 16kb

           response-body-decompress-layer-limit: 2

           http-body-inline: auto

           double-decode-path: no

           double-decode-query: no


host-mode: auto

max-pending-packets: 2048

runmode: workers

defrag:

  memcap: 128mb

  hash-size: 65536

  trackers: 65535 # number of defragmented flows to follow

  max-frags: 65535 # number of fragments to keep (higher than trackers)

  prealloc: yes

  timeout: 60

flow:

  memcap: 128mb

  hash-size: 65536

  prealloc: 10000

  emergency-recovery: 30
stream:

  memcap: 128mb

  checksum-validation: yes      # reject wrong csums

  inline: yes                  # auto will use inline mode in IPS mode, yes
or no set it statically
  reassembly:

    memcap: 256mb

    depth: 0                  # reassemble 1mb into a stream

    toserver-chunk-size 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes


A lot of those config settings were copied over from my old 3.0 config.

Peter

On Feb 4, 2017 5:10 PM, "Andreas Herz" <andi at geekosphere.org> wrote:

On 04/02/17 at 16:59, Peter Fyon wrote:
> Yes, IPS mode inline using af-packet, Ubuntu 14.04.

How do you run it exactly? Paste the command line please.

Also add relevant sections you changed/added to the config.

Also the hardware specs and network infos.

What kernel is used?

> Peter
>
> On Feb 4, 2017 4:57 PM, "Andreas Herz" <andi at geekosphere.org> wrote:
>
> On 04/02/17 at 16:47, Peter Fyon wrote:
> > When I was running 3.0, I was using workers runmode with few issues. I
> > upgraded to 3.2 this week and my ping times went from ~ 30ms to
> ~150-200ms.
>
> How do you run suricata and on what system?
> Since you see latency issues I would guess IPS mode but there are some
> :)
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170204/e6488856/attachment-0002.html>


More information about the Oisf-users mailing list