[Oisf-users] Questions about suricata.yaml
Chris Boley
ilgtech75 at gmail.com
Thu Jun 28 12:57:13 UTC 2018
I’m not 100% sure if suricata does auto load balancer functionality on
cores by default now? Maybe it does. I’m no SME on Suri.
In nfqueue mode, can you not set —queue-balance 0:3 in iptables and run
Suricata like; suricata -c /etc/suricata.yaml -S
/etc/suricata/sample.rules -q 0 -q 1 -q 2 -q 3 -vv ?
I was under the impression that nfqueue mode load balancing was achieved in
this way? My thoughts on this are probably outdated. Could we help his
performance by offering that as a method?
On Thu, Jun 28, 2018 at 8:20 AM Amar Rathore - CounterSnipe Systems <
amar at countersnipe.com> wrote:
> Hello Tanaka
>
> The configuration you have described is something we use all the time. It
> seems to work fine for us...even with most of the rules loaded.
>
> The main reason for bridging is the flexibility it offers....we bridge 6
> interfaces together and any one of the can be in or out. Have to say we are
> still on a previous version.
>
> I notice that you are loading 1 rule specifying the HOME_NET variable,
> have you tried running with no rules loaded at all? Just to see if the base
> configuration is all ok?
>
> Have you configured the HOME_NET variable?
>
> Is there a specific reason for using 'reject' as opposed to 'drop'?
>
> If all of that is good, then it may be something to do with V4.
>
> Just some thoughts.
>
>
> Amar Rathore
>
> amar at countersnipe.com
>
> Delivering Suricata based Network Security.
>
> On June 28, 2018 at 3:34 AM tanaka yusuke <net1234 at hotmail.co.jp> wrote:
>
>
> Hi.
>
> I am trying to build an IPS box at work using suricata, but my suricata
> box is showing very poor performance for some reason.
>
> Measured performance with wrk (https://github.com/wg/wrk) in isolated
> testing environment like this:
>
> client ---> suricata box ---> server
>
> With default suricata.yaml, the box throughput drops below 10% of a dumb
> bridge configuration.
> I tried to tweak some of suricata.yaml settings and found improvement
> somehow but still way too low.
> I would appreciate if you have any other suggestions for performance
> improvement.
> Thanks in advance.
>
> Suricata box:
> OS: CentOS 7.5 (simple install)
> suricata: version 4.0.4 (suricata-4.0.4-1.el7.x86_64)
> CPU: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz (4Core/4Thread)
>
> Suricata launch procedure:
> #> systemctl stop firewalld
> #> iptables -A FORWARD -J NFQUEUE --queue-num 0
> #> suricata -c /etc/suricata.yaml -S /etc/suricata/sample.rules -q 0 -vv
>
> Rules activated (/etc/suricata/sample.rules)
> reject ip $HOME_NET any -> 192.168.10.142 any (msg:"test rules";
> gid:10000; sid:10000; rev:1;)
>
> Testing patterns:
> 1. suricata off (dumb bridge mode)
> 2. suricata on (default suricata.yaml)
> 3. suricata on (log suppressed)
> 4. suricata on (log suppressed + cpu-affinity set)
>
> Results:
> [client]# ./wrk -t10 -c1000 -d30s http://192.168.100.101/
> Running 30s test @ http://192.168.100.101/
> 10 threads and 1000 connections
>
> 1. 3296109 requests in 30.09s, 3.20GB read
> Requests/sec: 109536.50
> Transfer/sec: 108.85MB
>
> 2. 229685 requests in 30.10s, 228.24MB read
> Requests/sec: 7630.75
> Transfer/sec: 7.58MB
>
> 3. 341039 requests in 30.04s, 338.90MB read
> Requests/sec: 11354.15
> Transfer/sec: 11.28MB
>
> 4. 417160 requests in 30.03s, 414.54MB read
> Requests/sec: 13892.03
> Transfer/sec: 13.80MB
>
> Modifications to suricata.yaml:
>
> 3. suppressed log output
> -----------------------------------------
> stats:
> enabled: no
> outputs:
> - eve-log:
> enabled: no
> -----------------------------------------
>
> 4. cpu-affinity setting added
> -----------------------------------------
> threading:
> set-cpu-affinity: yes
> cpu-affinity:
> - management-cpu-set:
> cpu: [ "all" ]
> prio:
> default: "low"
> - receive-cpu-set:
> cpu: [ "all" ]
> prio:
> default: "low"
> - worker-cpu-set:
> cpu: [ 1,2,3 ]
> mode: "exclusive"
> threads: 3
> prio:
> default: "medium"
> - verdict-cpu-set:
> cpu: [ 0 ]
> prio:
> default: "high"
> -----------------------------------------
>
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180628/aedfdc54/attachment-0001.html>
More information about the Oisf-users
mailing list