[Oisf-users] Installing / Running Suricata with Myricom NICs

Greg Grasmehr greg.grasmehr at caltech.edu
Fri Mar 30 17:51:36 UTC 2018 

Hello,

Wow that's a lot of rings - I did a ton of testing regarding packet
drops and different configurations and found the simplest config worked
the best.

SNF_NUM_RINGS=2

/opt/suricata/bin/suricata -D -i p1p1 -i p1p1 -c /opt/suricata/etc/suricata/suricata.yaml -l

This basically lets Suricata decide how to use the available cores.  In
my experiments pinning cores and increasing number of rings etc did not
provide the best performance. 

The system is dual Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz

On a final note - I have an Arista 5100 switch that runs in DANZ tap
mode and I implemented shunting of connections with Bro.  It works great for
Bro and I am experimenting with shunting the Suricata port as well.


On 02/20/18 17:58:16, Alexander Merck wrote:
> Hello,
> 
>  
> 
> Hopefully someone can help shed some light on some issues we've been seeing. We
> just installed a new instance of Suricata on a fresh RHEL7 monitoring box with
> Myricom cards. However, we are seeing significant packet loss (20-35%) on 2-3
> Gbps traffic when attempting to use the SNF drivers.
> 
>  
> 
>  
> 
> I'm suspecting that the Myricom SNF drivers are not functioning as expected.
> We're able to run tcpdump compiled against these drivers with no issue,
> including generating debug output. We've also found when supplying the
> SNF_DEBUG_MASK environment variable when running Suricata, no debug output is
> generated.
> 
>  
> 
> Also, when using Suricata with the SNF drivers, should you be able to use the
> interface names specified by SNF (e.g. snf0)? When trying to run Suricata using
> the -i snf0, we get an "Unable to find iface snf0: No such device" error
> message. We are only able to run Suricata against the interface names specified
> by the kernel (in our case, enp4s0)
> 
>  
> 
>  
> 
> The version of Suricata is 4.0.4 and the version of SNF is 3.0.12. Running ldd
> shows that Suricata is linked against the SNF libraries.
> 
>  
> 
> # ldd /usr/bin/suricata
> 
> ...
> 
>         libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f238ffb0000)
> 
> ...
> 
>         libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f238dae4000)
> 
>  
> 
>  
> 
> We compiled Suricata per these instructions: https://
> redmine.openinfosecfoundation.org/projects/suricata/wiki/Myricom. I did notice
> that this document is over five years old, but all of the configuration options
> seemed correct.
> 
>  
> 
> ./configure --with-libpcap-includes=/opt/snf/include/ --with-libpcap-libraries=
> /opt/snf/lib/ --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> 
>  
> 
> And we're running Suricata with the following command:
> 
>  
> 
> SNF_NUM_RINGS=32 SNF_DATARING_SIZE=17179869184 SNF_DESCRING_SIZE=4294967296
> SNF_FLAGS=0x1 SNF_DEBUG_MASK=3 SNF_DEBUG_FILENAME="/tmp/snf.out" /usr/bin/
> suricata -c /etc/suricata/suricata.yaml -i enp4s0 --runmode=workers
> 
>  
> 
> The box we’re running this on has 64 cores and 256GB of RAM, so I doubt it’s a
> resource issue…but could potentially be a configuration issue.
> 
>  
> 
>  
> 
> Are we missing something in the install process that may be causing these
> issues? Any recommendations or pointers would be greatly appreciated. Thanks!
> 
>  
> 
> -Alex M
> 
>  
> 
>  
> 
> -- 
> 
> Alexander Merck
> 
> Duke University
> 
> IT Security Office
> 

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list