[Oisf-users] 1 gig tuning of suri
Cooper F. Nelson
cnelson at ucsd.edu
Fri Mar 9 20:58:05 UTC 2018
Everything Michal said applies. I'll add I did a 10gig deployment on a
much older non-AVX Xeon system and it was still functional.
Re: adding Moloch to the mix; I have a plan to integrate moloch with
suricata, I just haven't had a chance to try it out yet. This is the
executive summary:
1. Setup a tmpfs partition for suricata to dump pcap files into, like
/home/suri/pcap.
2. Setup suricata to dump pcap to that directory, rotating by size.
I'll recommend enabling the stream/tls pruning as well. If you have 1Gb
interface you do not need to use multi mode, a single file is fine.
3. Use moloch capture in offline 'monitor mode' to monitor this
directory and copy closed files to an archive directory on disk:
moloch-capture -Rm --copy --delete /home/suri/pcap
Use taskset to pin this process to a core so it doesn't get assigned to
one of the suricata cores. Use a dedicated box/VM for elasticsearch.
-Coop
On 3/9/2018 10:02 AM, erik clark wrote:
> Hmmm, 8? Likely 16. I dont have the hardware yet, trying to prepare ahead
> of time.
>
> Would like to run about 10-15k et pro sigs.
>
> On Fri, Mar 9, 2018 at 12:54 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
>> How many cores?
>>
>>
>> On 3/9/2018 9:48 AM, erik clark wrote:
>>
>> So, I am looking at tuning suricata as best as possible on a limited
>> budget. I am figuring I have about 100 meg throughput possibly, 24-48 gigs
>> of ram, and ideally would like to run bro on the box as well. Looks like
>> that may not be sufficient to do this task, and was wondering what kind of
>> tuning could be done to handle a load of 48 gigs of ram. I also wanted to
>> shove moloch on there, but I am pretty positive the system cant handle it.
>> SEPtun2 is clearly out of scope for this. :D
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/b032c428/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/b032c428/attachment-0002.sig>
More information about the Oisf-users
mailing list