[Oisf-users] Suricata Performance Tuning

Michał Purzyński michalpurzynski1 at gmail.com
Thu Oct 25 22:37:28 UTC 2018 

CPU isolation and such are like the cherry on top of the cake ;-) One has
to take care of memcaps first.

It totally makes sense that you see the biggest improvement after
addressing the memcap drops.

On Thu, Oct 25, 2018 at 7:52 AM Cloherty, Sean E <scloherty at mitre.org>
wrote:

> CPU Pinning was the most impactful for our environment with similar
> traffic rates per box.  The other was to address any stats that showed
> Suricata hitting any memcaps.
>
>
>
> On test boxes I’ve tested CPU isolation and didn’t see a significant
> improvement.   Hyperscan was helpful, and using Google’s TCMALLOC may
> reduce the memory footprint
> https://github.com/OISF/suricata/blob/master/doc/userguide/performance/tcmalloc.rst
>
>
>
>
>
> *From:* Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> *On
> Behalf Of *Edgmand, Craig
> *Sent:* Thursday, August 30, 2018 11:04 AM
> *To:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* [Oisf-users] Suricata Performance Tuning
>
>
>
> Hello,
>
>
>
>        I am working on a new Suricata server (Dell PowerEdge R710, 72 Gb
> of memory, 2 6 core procs) using a Myricom 10 card running snf v3. It needs
> to process between 3 and 6 Gb of traffic fed by a NetOptics agg tap.
>
>
>
>        Currently the system is dropping about 10% of the packets and the
> SNF drop ring is full so that implies that Suricata is not keeping up with
> processing.  I currently have 20 threads running and about 16 Gb of free
> memory.
>
>
>
>        I have read SEPTun, SEPTun-Mark-II, the Suricata docs, the Myricom
> user guide, Peter Manev old blogs, etc…
>
>
>
>        And what I want to know is what performance tuning options have the
> greatest impact?   Outside of buying faster processors, more memory or a
> different nic card.  J
>
>
>
>                 Is it the suricata.yaml configuration options?
>
>
>
>                 Is it hyperscan?
>
>
>
>                 Sysctl settings?
>
>
>
>                 Ethtool tweaks?
>
>
>
>                 BIOS setting?
>
>
>
>                 CPU Pinning?
>
>                 ???
>
>
>
> Thanks very much,
>
>
>
> Craig Edgmand
>
> Oklahoma State University
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181025/5571abc0/attachment-0001.html>

More information about the Oisf-users mailing list