[Oisf-users] 1 gig tuning of suri
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Mar 9 18:48:17 UTC 2018
Those concepts we described in SEPTun still apply, so have fun adjusting ;)
What about “partitioning” your machine
Cores 0-1 run OS, irq.
Cores 2-3 run Suricata management threads and maybe Bro master and proxies and logger process. If not, separate Bro management processes from Suricata management processes.
Cores 4-6 run Suri workers
Cores 4-12 run Bro workers (Bro is at least two times slower than Suri, but that depends a lot on the scripts running) - per process.
And pin all of that, adjusting as necessary.
14+ cores. A single CPU. 8 or 16GB per DIMM and use all memory channels. Keep it 1DPC.
Get yourself a X710 and a Xeon that supports DDIO.
Report back :-)
> On Mar 9, 2018, at 10:02 AM, erik clark <philosnef at gmail.com> wrote:
>
> Hmmm, 8? Likely 16. I dont have the hardware yet, trying to prepare ahead of time.
>
> Would like to run about 10-15k et pro sigs.
>
>> On Fri, Mar 9, 2018 at 12:54 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> How many cores?
>>
>>
>>> On 3/9/2018 9:48 AM, erik clark wrote:
>>> So, I am looking at tuning suricata as best as possible on a limited
>>> budget. I am figuring I have about 100 meg throughput possibly, 24-48 gigs
>>> of ram, and ideally would like to run bro on the box as well. Looks like
>>> that may not be sufficient to do this task, and was wondering what kind of
>>> tuning could be done to handle a load of 48 gigs of ram. I also wanted to
>>> shove moloch on there, but I am pretty positive the system cant handle it.
>>> SEPtun2 is clearly out of scope for this. :D
>>>
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>> --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ITS Security Team
>> cnelson at ucsd.edu x41042
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/4bf5c3d2/attachment-0002.html>
More information about the Oisf-users
mailing list