[Oisf-users] Need help with Suricata conf

Thu Jan 16 21:51:02 UTC 2020

We wrote guides a while back, that might help answering some of your
questions. Let me address what I can, right here.

https://github.com/pevma/SEPTun
https://github.com/pevma/SEPTun-Mark-II

We are testing Suricata in af-packet IDS mode and we ran into a couple of
> issues with configuring.
>
>>
>> We have various HW setups, and therefore Suricata runs in different
>> runmodes (either workers or autofp) depending on a specific platform.
>> Currently I'm trying to configure Suricata to get the best performance as
>> possible, but some settings are ambiguous and even the documentation didn't
>> help a lot.
>>
>
The best performance setup (for the IDS) comes from the workers runmode.

>
>> Here are some of the things which I do not understand about configuration:
>>
>> 1) ring-size: <number of packets> - Ring size will be computed with
>> respect to max_pending_packets and number of threads. You can set manually
>> the ring size in number of packets by setting the following value. So as I
>> understand this value defines a cache size of each thread when running in
>> workers mode, but when running in autofp there may be different numbers of
>> packet capture and packet processing threads. To which type of thread does
>> the ring-size refer in autofp mode? And when this value is not set - what
>> is the default value?
>>
>>
For workers mode - each threat will have its own ring, so also watch out
for the memory usage. For autofp, no idea.

> 2) tpacket_v3 has such properties as block-size and block-timeout which
>> look a bit complicated. What should I take into consideration when trying
>> to tune those values?
>>
>
Some good and proven in the battle numbers to start from are in above
SepTun guides. Feel free to start somewhere from there and modify as you
see fit.
As a general rule, I would first modify the ring-size before touching the
block-size.

More details and diagrams here
https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt

>
>> 3) buffer-size: <number of bytes?> - what is this buffer?
>>
>
It shouldn't be there - it's not used by the AF_Packet processing pipeline.
Looks like something we could remove from this section of the config file.

>
>> 4) max-pending-packets: <number of packets> - is this a number of packets
>> which can be simultaneously processed by each of packet processing thread?
>>
>
That's what I believe the documentation says, but the code makes me think
it's the global per-Suricata instance limit of the maximum numbers of
packets that can be queued by all of your threads, i.e.

ring_size * threads

Just make it generous.

> Here is how I see it: say we set the ring-size to 100k packets, set m-p-p
>> to 1k and run 8 packet processing threads. This setup means that each of 8
>> threads can analyze 1k packets at once, while other packets have to wait in
>> its 100k packets buffer - is it correct? And again, if this setting is
>> commented out - what is the default value?
>>
>
default is 1024 (looking at the suricata.c)

I believe you should just make it larger than numbers of threads * packets
per thread (so ring size).

Victor / Eric could you either confirm or correct me?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200116/4a2c31e7/attachment-0001.html>