[Oisf-users] Questions about suricata.yaml

tanaka yusuke net1234 at hotmail.co.jp
Thu Jun 28 07:34:05 UTC 2018 

Hi.

I am trying to build an IPS box at work using suricata, but my suricata box is showing very poor performance for some reason.

Measured performance with wrk (https://github.com/wg/wrk) in isolated testing environment like this:

 client ---> suricata box ---> server

With default suricata.yaml, the box throughput drops below 10% of a dumb bridge configuration.
I tried to tweak some of suricata.yaml settings and found improvement somehow but still way too low.
I would appreciate if you have any other suggestions for performance improvement.
Thanks in advance.

Suricata box:
  OS: CentOS 7.5 (simple install)
  suricata: version 4.0.4 (suricata-4.0.4-1.el7.x86_64)
  CPU: Intel(R) Celeron(R) CPU  N3160  @ 1.60GHz (4Core/4Thread)

Suricata launch procedure:
  #> systemctl stop firewalld
  #> iptables -A FORWARD -J NFQUEUE --queue-num 0
  #> suricata -c /etc/suricata.yaml -S /etc/suricata/sample.rules -q 0 -vv

Rules activated (/etc/suricata/sample.rules)
  reject ip $HOME_NET any -> 192.168.10.142 any (msg:"test rules"; gid:10000; sid:10000; rev:1;)

Testing patterns:
  1. suricata off (dumb bridge mode)
  2. suricata on (default suricata.yaml)
  3. suricata on (log suppressed)
  4. suricata on (log suppressed + cpu-affinity set)

Results:
  [client]# ./wrk -t10 -c1000 -d30s http://192.168.100.101/
    Running 30s test @ http://192.168.100.101/
      10 threads and 1000 connections

  1. 3296109 requests in 30.09s, 3.20GB read
     Requests/sec: 109536.50
     Transfer/sec:    108.85MB

  2. 229685 requests in 30.10s, 228.24MB read
     Requests/sec:   7630.75
     Transfer/sec:      7.58MB

  3. 341039 requests in 30.04s, 338.90MB read
     Requests/sec:  11354.15
     Transfer/sec:     11.28MB

  4. 417160 requests in 30.03s, 414.54MB read
     Requests/sec:  13892.03
     Transfer/sec:     13.80MB

Modifications to suricata.yaml:

  3. suppressed log output
    -----------------------------------------
    stats:
      enabled: no
    outputs:
      - eve-log:
          enabled: no
    -----------------------------------------

  4. cpu-affinity setting added
    -----------------------------------------
    threading:
      set-cpu-affinity: yes
      cpu-affinity:
        - management-cpu-set:
            cpu: [ "all" ]
            prio:
              default: "low"
        - receive-cpu-set:
            cpu: [ "all" ]
            prio:
              default: "low"
        - worker-cpu-set:
            cpu: [ 1,2,3 ]
            mode: "exclusive"
            threads: 3
            prio:
              default: "medium"
        - verdict-cpu-set:
            cpu: [ 0 ]
            prio:
              default: "high"
    -----------------------------------------


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180628/c1ee6ab9/attachment.html>

More information about the Oisf-users mailing list