'[security-onion] Re: Suricata pf_ring dropping packets'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    [security-onion] Re: Suricata pf_ring dropping packets
From:       wedgeshot <wedgeshot () gmail ! com>
Date:       2017-04-28 2:17:57
Message-ID: 474b40a6-5208-454b-ad84-7bf234f9f21d () googlegroups ! com
[Download RAW message or body]


I'd bump those workers up to at least 8 per interface. I have 16 on a single \
interface which is not taking in as much data as yours and there is a smidge of loss \
but I'm also running with a majority of the rules enabled.

With that said...  do you still have all the rules enabled out-of-the-box? You can \
reduce the number of rules that need to be processed which should also help reduce \
packet loss.





On Tuesday, April 25, 2017 at 11:34:17 PM UTC-4, mtn...@gmail.com wrote:
> I have a sensor that has 2 10gb fiber sfp+ sniffer interfaces that are receiving \
> about 2gb throughput each.  The sensor CPU has 8 cores with 16 threads and 128gb of \
> RAM. 
> In the sostat I'm seeing huge amounts of packet loss in Suricata.
> 
> Here is an example:
> Appl. Name         : Suricata
> Tot Packets        : 1983450
> Tot Pkt Lost       : 806189
> 
> 
> Appl. Name         : Suricata
> Tot Packets        : 2310778
> Tot Pkt Lost       : 1038246
> 
> I've set the pf_ring slots to 65534, I've given Suricata 4 processes for each \
> interface, and tried increasing max-pending-packets: 5000 in the suricata.yaml.  \
> Nothing seems to be helping reduce the number of dropped packets.   
> I do see alerts generated by Suricata, so it's processing at least some of the \
> packets it's seeing.  But Suricata's packet loss looks to be significant.  What \
> else can I do to reduce the packet loss? 
> I've attached a redacted sostat as well.
> 
> Thanks!

-- 
Follow Security Onion on Twitter!
https://twitter.com/securityonion
--- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic