[Oisf-users] Tuning guide

Cooper F. Nelson cnelson at ucsd.edu
Tue May 16 19:06:30 UTC 2017


On 5/16/2017 11:57 AM, Brad Kingsbury wrote:
> Is there a tuning guide available for Suricata?  I'm looking for some
> pretty basic "tuning" parameters, based upon the amount of RAM and cores
> available.  Also, parameters to consider if doing just parsing v. detection.

This is the best one available currently:

> https://github.com/pevma/SEPTun

Might be overkill for tiny networks, though.

> Also, is the hyperscan library only used by the detection component, or
> will it also provide improved performance in the parsing engine too?

That is an excellent questions and I have to admit I do not know the
answer.  I'll hesitate a guess of 'no' as I run in delayed-detect mode
and suricata will begin protocol logging well prior to generating alert
traffic.  I think this is by design as the protocol detection logic is
specifically tuned for that purpose, vs. being a generic pattern matcher.

-- 
Cooper Nelson
IT Security - Information Technology Services
University of California San Diego
(858) 534-6487 - cnelson at ucsd.edu
https://cybersecurity.ucsd.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170516/06d33adb/attachment-0002.sig>


More information about the Oisf-users mailing list