[Oisf-users] Questions about suricata.yaml
Eric Leblond
eric at regit.org
Thu Jun 28 08:40:48 UTC 2018
Hi,
On Thu, 2018-06-28 at 07:34 +0000, tanaka yusuke wrote:
> Hi.
>
> I am trying to build an IPS box at work using suricata, but my
> suricata box is showing very poor performance for some reason.
>
> Measured performance with wrk (https://github.com/wg/wrk) in isolated
> testing environment like this:
>
> client ---> suricata box ---> server
> With default suricata.yaml, the box throughput drops below 10% of a
> dumb bridge configuration.
Do you mean you are using a bridge interface and filtering on forward
on top of it ? If yes, this use case is to be avoid. It seems there is
a kind of bug, weird thing in this case. It is better to use a regular
routing configuration.
> I tried to tweak some of suricata.yaml settings and found improvement
> somehow but still way too low.
> I would appreciate if you have any other suggestions for performance
> improvement.
Try to use multiple Netfilter queues to do load balancing. See https://
home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-
1beta2/ for some info
> Thanks in advance.
>
> Suricata box:
> OS: CentOS 7.5 (simple install)
> suricata: version 4.0.4 (suricata-4.0.4-1.el7.x86_64)
> CPU: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz (4Core/4Thread)
>
> Suricata launch procedure:
> #> systemctl stop firewalld
> #> iptables -A FORWARD -J NFQUEUE --queue-num 0
> #> suricata -c /etc/suricata.yaml -S /etc/suricata/sample.rules -q
> 0 -vv
>
> Rules activated (/etc/suricata/sample.rules)
> reject ip $HOME_NET any -> 192.168.10.142 any (msg:"test rules";
> gid:10000; sid:10000; rev:1;)
>
> Testing patterns:
> 1. suricata off (dumb bridge mode)
> 2. suricata on (default suricata.yaml)
> 3. suricata on (log suppressed)
> 4. suricata on (log suppressed + cpu-affinity set)
>
> Results:
> [client]# ./wrk -t10 -c1000 -d30s http://192.168.100.101/
> Running 30s test @ http://192.168.100.101/
> 10 threads and 1000 connections
>
> 1. 3296109 requests in 30.09s, 3.20GB read
> Requests/sec: 109536.50
> Transfer/sec: 108.85MB
>
> 2. 229685 requests in 30.10s, 228.24MB read
> Requests/sec: 7630.75
> Transfer/sec: 7.58MB
>
> 3. 341039 requests in 30.04s, 338.90MB read
> Requests/sec: 11354.15
> Transfer/sec: 11.28MB
>
> 4. 417160 requests in 30.03s, 414.54MB read
> Requests/sec: 13892.03
> Transfer/sec: 13.80MB
>
> Modifications to suricata.yaml:
>
> 3. suppressed log output
> -----------------------------------------
> stats:
> enabled: no
> outputs:
> - eve-log:
> enabled: no
> -----------------------------------------
>
> 4. cpu-affinity setting added
> -----------------------------------------
> threading:
> set-cpu-affinity: yes
> cpu-affinity:
> - management-cpu-set:
> cpu: [ "all" ]
> prio:
> default: "low"
> - receive-cpu-set:
> cpu: [ "all" ]
> prio:
> default: "low"
> - worker-cpu-set:
> cpu: [ 1,2,3 ]
> mode: "exclusive"
> threads: 3
> prio:
> default: "medium"
> - verdict-cpu-set:
> cpu: [ 0 ]
> prio:
> default: "high"
> -----------------------------------------
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> ort/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list