[Oisf-users] Need help with Suricata conf

[Daniel Perner]

Hello!

We are testing Suricata in af-packet IDS mode and we ran into a couple of
issues with configuring.

We have various HW setups, and therefore Suricata runs in different
runmodes (either workers or autofp) depending on a specific platform.
Currently I'm trying to configure Suricata to get the best performance as
possible, but some settings are ambiguous and even the documentation didn't
help a lot.

Here are some of the things which I do not understand about configuration:

1) ring-size: <number of packets> - Ring size will be computed with respect
to max_pending_packets and number of threads. You can set manually the ring
size in number of packets by setting the following value. So as I
understand this value defines a cache size of each thread when running in
workers mode, but when running in autofp there may be different numbers of
packet capture and packet processing threads. To which type of thread does
the ring-size refer in autofp mode? And when this value is not set - what
is the default value?

2) tpacket_v3 has such properties as block-size and block-timeout which
look a bit complicated. What should I take into consideration when trying
to tune those values?

3) buffer-size: <number of bytes?> - what is this buffer?

4) max-pending-packets: <number of packets> - is this a number of packets
which can be simultaneously processed by each of packet processing thread?
Here is how I see it: say we set the ring-size to 100k packets, set m-p-p
to 1k and run 8 packet processing threads. This setup means that each of 8
threads can analyze 1k packets at once, while other packets have to wait in
its 100k packets buffer - is it correct? And again, if this setting is
commented out - what is the default value?

--
Regards,
Daniel Perner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200116/221676c1/attachment.html>