[Oisf-users] Tuning guide
Cloherty, Sean E
scloherty at mitre.org
Wed May 17 13:53:25 UTC 2017
If you are using AF-PACKET (and why wouldn't you), the attached spreadsheet may help. It is derived from Peter Manev's highly detailed review of various configuration options and their affect on memory utilization. http://pevma.blogspot.com/2015/10/suricata-with-afpacket-memory-of-it-all.html
I began creating this during a Suricata training class so I could save time when testing different configurations. Peter has reviewed it for accuracy and correct nomenclature. I hope that it will be of some use to the community.
Sean Cloherty
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Cooper F. Nelson
Sent: Tuesday, May 16, 2017 15:07 PM
To: Brad Kingsbury <bradkingsbury at gmail.com>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Tuning guide
On 5/16/2017 11:57 AM, Brad Kingsbury wrote:
> Is there a tuning guide available for Suricata? I'm looking for some
> pretty basic "tuning" parameters, based upon the amount of RAM and
> cores available. Also, parameters to consider if doing just parsing v. detection.
This is the best one available currently:
> https://github.com/pevma/SEPTun
Might be overkill for tiny networks, though.
> Also, is the hyperscan library only used by the detection component,
> or will it also provide improved performance in the parsing engine too?
That is an excellent questions and I have to admit I do not know the answer. I'll hesitate a guess of 'no' as I run in delayed-detect mode and suricata will begin protocol logging well prior to generating alert traffic. I think this is by design as the protocol detection logic is specifically tuned for that purpose, vs. being a generic pattern matcher.
--
Cooper Nelson
IT Security - Information Technology Services University of California San Diego
(858) 534-6487 - cnelson at ucsd.edu
https://cybersecurity.ucsd.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SuricataMemCalc.ods
Type: application/oleobject
Size: 5827 bytes
Desc: SuricataMemCalc.ods
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170517/c35ca6f9/attachment-0002.bin>
More information about the Oisf-users
mailing list