[Oisf-users] Need help with Suricata conf

Michał Purzyński michalpurzynski1 at gmail.com
Thu Jan 16 21:51:02 UTC 2020

We wrote guides a while back, that might help answering some of your
questions. Let me address what I can, right here.


We are testing Suricata in af-packet IDS mode and we ran into a couple of
> issues with configuring.
>> We have various HW setups, and therefore Suricata runs in different
>> runmodes (either workers or autofp) depending on a specific platform.
>> Currently I'm trying to configure Suricata to get the best performance as
>> possible, but some settings are ambiguous and even the documentation didn't
>> help a lot.
The best performance setup (for the IDS) comes from the workers runmode.

>> Here are some of the things which I do not understand about configuration:
>> 1) ring-size: <number of packets> - Ring size will be computed with
>> respect to max_pending_packets and number of threads. You can set manually
>> the ring size in number of packets by setting the following value. So as I
>> understand this value defines a cache size of each thread when running in
>> workers mode, but when running in autofp there may be different numbers of
>> packet capture and packet processing threads. To which type of thread does
>> the ring-size refer in autofp mode? And when this value is not set - what
>> is the default value?
For workers mode - each threat will have its own ring, so also watch out
for the memory usage. For autofp, no idea.

> 2) tpacket_v3 has such properties as block-size and block-timeout which
>> look a bit complicated. What should I take into consideration when trying
>> to tune those values?
Some good and proven in the battle numbers to start from are in above
SepTun guides. Feel free to start somewhere from there and modify as you
see fit.
As a general rule, I would first modify the ring-size before touching the

More details and diagrams here

>> 3) buffer-size: <number of bytes?> - what is this buffer?
It shouldn't be there - it's not used by the AF_Packet processing pipeline.
Looks like something we could remove from this section of the config file.

>> 4) max-pending-packets: <number of packets> - is this a number of packets
>> which can be simultaneously processed by each of packet processing thread?
That's what I believe the documentation says, but the code makes me think
it's the global per-Suricata instance limit of the maximum numbers of
packets that can be queued by all of your threads, i.e.

ring_size * threads

Just make it generous.

> Here is how I see it: say we set the ring-size to 100k packets, set m-p-p
>> to 1k and run 8 packet processing threads. This setup means that each of 8
>> threads can analyze 1k packets at once, while other packets have to wait in
>> its 100k packets buffer - is it correct? And again, if this setting is
>> commented out - what is the default value?
default is 1024 (looking at the suricata.c)

I believe you should just make it larger than numbers of threads * packets
per thread (so ring size).

Victor / Eric could you either confirm or correct me?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200116/4a2c31e7/attachment-0001.html>

More information about the Oisf-users mailing list