[Oisf-users] Need help with Suricata conf

Thu Jan 16 15:57:55 UTC 2020

Have you read Peter's "Suricata Extreme Performance Tuning" guide at
https://github.com/pevma/SEPTun/blob/master/SEPTun.pdf?

I believe this will address a few of your questions.

-- 
Eric Urban
Security Analyst | University Information Security (UIS)
University of Minnesota | umn.edu
Information Security is a shared responsibility. Learn more at:
https://z.umn.edu/uis

On Thu, Jan 16, 2020 at 5:36 AM Daniel Perner <daniel.perner.et at gmail.com>
wrote:

> Hello!
>
> We are testing Suricata in af-packet IDS mode and we ran into a couple of
> issues with configuring.
>
> We have various HW setups, and therefore Suricata runs in different
> runmodes (either workers or autofp) depending on a specific platform.
> Currently I'm trying to configure Suricata to get the best performance as
> possible, but some settings are ambiguous and even the documentation didn't
> help a lot.
>
> Here are some of the things which I do not understand about configuration:
>
> 1) ring-size: <number of packets> - Ring size will be computed with
> respect to max_pending_packets and number of threads. You can set manually
> the ring size in number of packets by setting the following value. So as I
> understand this value defines a cache size of each thread when running in
> workers mode, but when running in autofp there may be different numbers of
> packet capture and packet processing threads. To which type of thread does
> the ring-size refer in autofp mode? And when this value is not set - what
> is the default value?
>
> 2) tpacket_v3 has such properties as block-size and block-timeout which
> look a bit complicated. What should I take into consideration when trying
> to tune those values?
>
> 3) buffer-size: <number of bytes?> - what is this buffer?
>
> 4) max-pending-packets: <number of packets> - is this a number of packets
> which can be simultaneously processed by each of packet processing thread?
> Here is how I see it: say we set the ring-size to 100k packets, set m-p-p
> to 1k and run 8 packet processing threads. This setup means that each of 8
> threads can analyze 1k packets at once, while other packets have to wait in
> its 100k packets buffer - is it correct? And again, if this setting is
> commented out - what is the default value?
>
> --
> Regards,
> Daniel Perner
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200116/b6c8e982/attachment.html>