[Oisf-users] 1 gig tuning of suri

Cooper F. Nelson cnelson at ucsd.edu
Fri Mar 9 20:58:05 UTC 2018 

Everything Michal said applies.  I'll add I did a 10gig deployment on a
much older non-AVX Xeon system and it was still functional.

Re: adding Moloch to the mix; I have a plan to integrate moloch with
suricata, I just haven't had a chance to try it out yet.  This is the
executive summary:

1.  Setup a tmpfs partition for suricata to dump pcap files into, like
/home/suri/pcap.
2.  Setup suricata to dump pcap to that directory, rotating by size. 
I'll recommend enabling the stream/tls pruning as well.  If you have 1Gb
interface you do not need to use multi mode, a single file is fine.
3.  Use moloch capture in offline 'monitor mode' to monitor this
directory and copy closed files to an archive directory on disk:

moloch-capture -Rm --copy --delete /home/suri/pcap

Use taskset to pin this process to a core so it doesn't get assigned to
one of the suricata cores.  Use a dedicated box/VM for elasticsearch.

-Coop

On 3/9/2018 10:02 AM, erik clark wrote:
> Hmmm, 8? Likely 16. I dont have the hardware yet, trying to prepare ahead
> of time.
>
> Would like to run about 10-15k et pro sigs.
>
> On Fri, Mar 9, 2018 at 12:54 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
>> How many cores?
>>
>>
>> On 3/9/2018 9:48 AM, erik clark wrote:
>>
>> So, I am looking at tuning suricata as best as possible on a limited
>> budget. I am figuring I have about 100 meg throughput possibly, 24-48 gigs
>> of ram, and ideally would like to run bro on the box as well. Looks like
>> that may not be sufficient to do this task, and was wondering what kind of
>> tuning could be done to handle a load of 48 gigs of ram. I also wanted to
>> shove moloch on there, but I am pretty positive the system cant handle it.
>> SEPtun2 is clearly out of scope for this. :D


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/b032c428/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/b032c428/attachment-0002.sig>

More information about the Oisf-users mailing list