[Oisf-users] Questions about suricata.yaml

Eric Leblond eric at regit.org
Thu Jun 28 08:40:48 UTC 2018


Hi,

On Thu, 2018-06-28 at 07:34 +0000, tanaka yusuke wrote:
> Hi.
> 
> I am trying to build an IPS box at work using suricata, but my
> suricata box is showing very poor performance for some reason.
> 
> Measured performance with wrk (https://github.com/wg/wrk) in isolated
> testing environment like this:
> 
>  client ---> suricata box ---> server

> With default suricata.yaml, the box throughput drops below 10% of a
> dumb bridge configuration.

Do you mean you are using a bridge interface and filtering on forward
on top of it ? If yes, this use case is to be avoid. It seems there is
a kind of bug, weird thing in this case. It is better to use a regular
routing configuration.

> I tried to tweak some of suricata.yaml settings and found improvement
> somehow but still way too low.
> I would appreciate if you have any other suggestions for performance
> improvement.

Try to use multiple Netfilter queues to do load balancing. See https://
home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-
1beta2/ for some info

> Thanks in advance.
> 
> Suricata box:
>   OS: CentOS 7.5 (simple install)
>   suricata: version 4.0.4 (suricata-4.0.4-1.el7.x86_64)
>   CPU: Intel(R) Celeron(R) CPU  N3160  @ 1.60GHz (4Core/4Thread)
> 
> Suricata launch procedure:
>   #> systemctl stop firewalld
>   #> iptables -A FORWARD -J NFQUEUE --queue-num 0
>   #> suricata -c /etc/suricata.yaml -S /etc/suricata/sample.rules -q
> 0 -vv
> 
> Rules activated (/etc/suricata/sample.rules)
>   reject ip $HOME_NET any -> 192.168.10.142 any (msg:"test rules";
> gid:10000; sid:10000; rev:1;)
> 
> Testing patterns:
>   1. suricata off (dumb bridge mode)
>   2. suricata on (default suricata.yaml)
>   3. suricata on (log suppressed)
>   4. suricata on (log suppressed + cpu-affinity set)
> 
> Results:
>   [client]# ./wrk -t10 -c1000 -d30s http://192.168.100.101/
>     Running 30s test @ http://192.168.100.101/
>       10 threads and 1000 connections
> 
>   1. 3296109 requests in 30.09s, 3.20GB read
>      Requests/sec: 109536.50
>      Transfer/sec:    108.85MB
> 
>   2. 229685 requests in 30.10s, 228.24MB read
>      Requests/sec:   7630.75
>      Transfer/sec:      7.58MB
> 
>   3. 341039 requests in 30.04s, 338.90MB read
>      Requests/sec:  11354.15
>      Transfer/sec:     11.28MB
> 
>   4. 417160 requests in 30.03s, 414.54MB read
>      Requests/sec:  13892.03
>      Transfer/sec:     13.80MB
> 
> Modifications to suricata.yaml:
> 
>   3. suppressed log output
>     -----------------------------------------
>     stats:
>       enabled: no
>     outputs:
>       - eve-log:
>           enabled: no
>     -----------------------------------------
> 
>   4. cpu-affinity setting added
>     -----------------------------------------
>     threading:
>       set-cpu-affinity: yes
>       cpu-affinity:
>         - management-cpu-set:
>             cpu: [ "all" ]
>             prio:
>               default: "low"
>         - receive-cpu-set:
>             cpu: [ "all" ]
>             prio:
>               default: "low"
>         - worker-cpu-set:
>             cpu: [ 1,2,3 ]
>             mode: "exclusive"
>             threads: 3
>             prio:
>               default: "medium"
>         - verdict-cpu-set:
>             cpu: [ 0 ]
>             prio:
>               default: "high"
>     -----------------------------------------
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> ort/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-- 
Eric Leblond <eric at regit.org>


More information about the Oisf-users mailing list