[Oisf-users] Questions about suricata.yaml

Chris Boley ilgtech75 at gmail.com
Thu Jun 28 12:57:13 UTC 2018 

I’m not 100% sure if suricata does auto load balancer functionality on
cores by default now? Maybe it does. I’m no SME on Suri.

In nfqueue mode, can you not set —queue-balance 0:3 in iptables and run
Suricata like;  suricata -c /etc/suricata.yaml -S
/etc/suricata/sample.rules -q 0 -q 1 -q 2 -q 3 -vv ?

I was under the impression that nfqueue mode load balancing was achieved in
this way? My thoughts on this are probably outdated. Could we help his
performance by offering that as a method?


On Thu, Jun 28, 2018 at 8:20 AM Amar Rathore - CounterSnipe Systems <
amar at countersnipe.com> wrote:

> Hello Tanaka
>
> The configuration you have described is something we use all the time. It
> seems to work fine for us...even with most of the rules loaded.
>
> The main reason for bridging is the flexibility it offers....we bridge 6
> interfaces together and any one of the can be in or out. Have to say we are
> still on a previous version.
>
> I notice that you are loading 1 rule specifying the HOME_NET variable,
> have you tried running with no rules loaded at all? Just to see if the base
> configuration is all ok?
>
> Have you configured the HOME_NET variable?
>
> Is there a specific reason for using 'reject' as opposed to 'drop'?
>
> If all of that is good, then it may be something to do with V4.
>
> Just some thoughts.
>
>
> Amar Rathore
>
> amar at countersnipe.com
>
> Delivering Suricata based Network Security.
>
> On June 28, 2018 at 3:34 AM tanaka yusuke <net1234 at hotmail.co.jp> wrote:
>
>
> Hi.
>
> I am trying to build an IPS box at work using suricata, but my suricata
> box is showing very poor performance for some reason.
>
> Measured performance with wrk (https://github.com/wg/wrk) in isolated
> testing environment like this:
>
>  client ---> suricata box ---> server
>
> With default suricata.yaml, the box throughput drops below 10% of a dumb
> bridge configuration.
> I tried to tweak some of suricata.yaml settings and found improvement
> somehow but still way too low.
> I would appreciate if you have any other suggestions for performance
> improvement.
> Thanks in advance.
>
> Suricata box:
>   OS: CentOS 7.5 (simple install)
>   suricata: version 4.0.4 (suricata-4.0.4-1.el7.x86_64)
>   CPU: Intel(R) Celeron(R) CPU  N3160  @ 1.60GHz (4Core/4Thread)
>
> Suricata launch procedure:
>   #> systemctl stop firewalld
>   #> iptables -A FORWARD -J NFQUEUE --queue-num 0
>   #> suricata -c /etc/suricata.yaml -S /etc/suricata/sample.rules -q 0 -vv
>
> Rules activated (/etc/suricata/sample.rules)
>   reject ip $HOME_NET any -> 192.168.10.142 any (msg:"test rules";
> gid:10000; sid:10000; rev:1;)
>
> Testing patterns:
>   1. suricata off (dumb bridge mode)
>   2. suricata on (default suricata.yaml)
>   3. suricata on (log suppressed)
>   4. suricata on (log suppressed + cpu-affinity set)
>
> Results:
>   [client]# ./wrk -t10 -c1000 -d30s http://192.168.100.101/
>     Running 30s test @ http://192.168.100.101/
>       10 threads and 1000 connections
>
>   1. 3296109 requests in 30.09s, 3.20GB read
>      Requests/sec: 109536.50
>      Transfer/sec:    108.85MB
>
>   2. 229685 requests in 30.10s, 228.24MB read
>      Requests/sec:   7630.75
>      Transfer/sec:      7.58MB
>
>   3. 341039 requests in 30.04s, 338.90MB read
>      Requests/sec:  11354.15
>      Transfer/sec:     11.28MB
>
>   4. 417160 requests in 30.03s, 414.54MB read
>      Requests/sec:  13892.03
>      Transfer/sec:     13.80MB
>
> Modifications to suricata.yaml:
>
>   3. suppressed log output
>     -----------------------------------------
>     stats:
>       enabled: no
>     outputs:
>       - eve-log:
>           enabled: no
>     -----------------------------------------
>
>   4. cpu-affinity setting added
>     -----------------------------------------
>     threading:
>       set-cpu-affinity: yes
>       cpu-affinity:
>         - management-cpu-set:
>             cpu: [ "all" ]
>             prio:
>               default: "low"
>         - receive-cpu-set:
>             cpu: [ "all" ]
>             prio:
>               default: "low"
>         - worker-cpu-set:
>             cpu: [ 1,2,3 ]
>             mode: "exclusive"
>             threads: 3
>             prio:
>               default: "medium"
>         - verdict-cpu-set:
>             cpu: [ 0 ]
>             prio:
>               default: "high"
>     -----------------------------------------
>
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180628/aedfdc54/attachment-0001.html>

More information about the Oisf-users mailing list