[Oisf-users] High ICMP Ping Latency in Workers Runmode
Peter Manev
petermanev at gmail.com
Sun Feb 5 08:20:40 UTC 2017
> On 5 Feb 2017, at 00:08, Peter Fyon <peter.fyon at gmail.com> wrote:
>
> user at suricata:~$ uname -a
> Linux suricata 3.16.0-77-generic #99~14.04.1-Ubuntu SMP Tue Jun 28 19:17:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> Command line:
> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pid file /var/run/suricata.pid --af-packet -D -vvv
>
> Server specs:
> Intel g3258 cpu (2 cores @ 3.2ghz)
> 8gb ram
> Some cheap Realtek gigabit nics for capture, onboard nic for management
>
> Relevant to capture portions of suricata.yaml:
> af-packet:
> - interface: p5p1
> copy-iface: p6p1
> cluster-id: 98
> threads: auto
> use-mmap: yes
> rollover: yes
> tpacket-v3: yes
> block-size: 32768
> copy-mode: ips
> buffer-size: 64535
> cluster-type: cluster_flow
> defrag: yes
> - interface: p6p1
> copy-iface: p5p1
> cluster-id: 97
> threads: auto
> use-mmap: yes
> rollover: yes
> tpacket-v3: yes
> block-size: 32768
> copy-mode: ips
> buffer-size: 64535
> cluster-type: cluster_flow
> defrag: yes
> - interface: default
> threads: auto
> use-mmap: yes
> rollover: yes
> tpacket-v3: yes
> block-size: 32768
> copy-mode: ips
> buffer-size: 64535
> cluster-type: cluster_flow
> defrag: yes
>
Disable buffer-size(use ringsize instead)and rollover and see if any diff ?
>
> App-layer section
> http:
> enabled: yes
> memcap: 512mb
> libhtp:
> default-config:
> personality: IDS
> request-body-limit: 1gb
> response-body-limit: 1gb
> request-body-minimal-inspect-size: 32kb
> request-body-inspect-window: 4kb
> response-body-minimal-inspect-size: 40kb
> response-body-inspect-window: 16kb
> response-body-decompress-layer-limit: 2
> http-body-inline: auto
> double-decode-path: no
> double-decode-query: no
>
>
> host-mode: auto
> max-pending-packets: 2048
> runmode: workers
>
> defrag:
> memcap: 128mb
> hash-size: 65536
> trackers: 65535 # number of defragmented flows to follow
> max-frags: 65535 # number of fragments to keep (higher than trackers)
> prealloc: yes
> timeout: 60
> flow:
> memcap: 128mb
> hash-size: 65536
> prealloc: 10000
> emergency-recovery: 30
> stream:
> memcap: 128mb
> checksum-validation: yes # reject wrong csums
> inline: yes # auto will use inline mode in IPS mode, yes or no set it statically
> reassembly:
> memcap: 256mb
> depth: 0 # reassemble 1mb into a stream
> toserver-chunk-size 2560
> toclient-chunk-size: 2560
> randomize-chunk-size: yes
>
>
> A lot of those config settings were copied over from my old 3.0 config.
>
> Peter
>
> On Feb 4, 2017 5:10 PM, "Andreas Herz" <andi at geekosphere.org> wrote:
> On 04/02/17 at 16:59, Peter Fyon wrote:
> > Yes, IPS mode inline using af-packet, Ubuntu 14.04.
>
> How do you run it exactly? Paste the command line please.
>
> Also add relevant sections you changed/added to the config.
>
> Also the hardware specs and network infos.
>
> What kernel is used?
>
> > Peter
> >
> > On Feb 4, 2017 4:57 PM, "Andreas Herz" <andi at geekosphere.org> wrote:
> >
> > On 04/02/17 at 16:47, Peter Fyon wrote:
> > > When I was running 3.0, I was using workers runmode with few issues. I
> > > upgraded to 3.2 this week and my ping times went from ~ 30ms to
> > ~150-200ms.
> >
> > How do you run suricata and on what system?
> > Since you see latency issues I would guess IPS mode but there are some
> > :)
> >
> > --
> > Andreas Herz
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170205/6b53320b/attachment-0002.html>
More information about the Oisf-users
mailing list