[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: [security-onion] Re: Suricata pf_ring dropping packets
From: wedgeshot <wedgeshot () gmail ! com>
Date: 2017-04-28 2:17:57
Message-ID: 474b40a6-5208-454b-ad84-7bf234f9f21d () googlegroups ! com
[Download RAW message or body]
I'd bump those workers up to at least 8 per interface. I have 16 on a single \
interface which is not taking in as much data as yours and there is a smidge of loss \
but I'm also running with a majority of the rules enabled.
With that said... do you still have all the rules enabled out-of-the-box? You can \
reduce the number of rules that need to be processed which should also help reduce \
packet loss.
On Tuesday, April 25, 2017 at 11:34:17 PM UTC-4, mtn...@gmail.com wrote:
> I have a sensor that has 2 10gb fiber sfp+ sniffer interfaces that are receiving \
> about 2gb throughput each. The sensor CPU has 8 cores with 16 threads and 128gb of \
> RAM.
> In the sostat I'm seeing huge amounts of packet loss in Suricata.
>
> Here is an example:
> Appl. Name : Suricata
> Tot Packets : 1983450
> Tot Pkt Lost : 806189
>
>
> Appl. Name : Suricata
> Tot Packets : 2310778
> Tot Pkt Lost : 1038246
>
> I've set the pf_ring slots to 65534, I've given Suricata 4 processes for each \
> interface, and tried increasing max-pending-packets: 5000 in the suricata.yaml. \
> Nothing seems to be helping reduce the number of dropped packets.
> I do see alerts generated by Suricata, so it's processing at least some of the \
> packets it's seeing. But Suricata's packet loss looks to be significant. What \
> else can I do to reduce the packet loss?
> I've attached a redacted sostat as well.
>
> Thanks!
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic