[Oisf-users] 1 gig tuning of suri

Michał Purzyński michalpurzynski1 at gmail.com
Fri Mar 9 21:46:36 UTC 2018


You might also try google stenographer. Seems to be super light and fast, scales well. It does not write native pcaps.

> On Mar 9, 2018, at 12:58 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> 
> Everything Michal said applies.  I'll add I did a 10gig deployment on a much older non-AVX Xeon system and it was still functional.
> 
> Re: adding Moloch to the mix; I have a plan to integrate moloch with suricata, I just haven't had a chance to try it out yet.  This is the executive summary:
> 
> 1.  Setup a tmpfs partition for suricata to dump pcap files into, like /home/suri/pcap.
> 2.  Setup suricata to dump pcap to that directory, rotating by size.  I'll recommend enabling the stream/tls pruning as well.  If you have 1Gb interface you do not need to use multi mode, a single file is fine.
> 3.  Use moloch capture in offline 'monitor mode' to monitor this directory and copy closed files to an archive directory on disk:
> 
> moloch-capture -Rm --copy --delete /home/suri/pcap 
> 
> Use taskset to pin this process to a core so it doesn't get assigned to one of the suricata cores.  Use a dedicated box/VM for       elasticsearch.
> 
> -Coop
> 
>> On 3/9/2018 10:02 AM, erik clark wrote:
>> Hmmm, 8? Likely 16. I dont have the hardware yet, trying to prepare ahead
>> of time.
>> 
>> Would like to run about 10-15k et pro sigs.
>> 
>> On Fri, Mar 9, 2018 at 12:54 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> 
>>> How many cores?
>>> 
>>> 
>>> On 3/9/2018 9:48 AM, erik clark wrote:
>>> 
>>> So, I am looking at tuning suricata as best as possible on a limited
>>> budget. I am figuring I have about 100 meg throughput possibly, 24-48 gigs
>>> of ram, and ideally would like to run bro on the box as well. Looks like
>>> that may not be sufficient to do this task, and was wondering what kind of
>>> tuning could be done to handle a load of 48 gigs of ram. I also wanted to
>>> shove moloch on there, but I am pretty positive the system cant handle it.
>>> SEPtun2 is clearly out of scope for this. :D
> 
> -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/a2568769/attachment-0002.html>


More information about the Oisf-users mailing list