blob: b184f6c7e03d3dc41ecba0c4a29f26f08ea849df (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
Tuning Considerations
=====================
Settings to check for optimal performance.
max-pending-packets: <number>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This setting controls the number simultaneous packets that the engine
can handle. Setting this higher generally keeps the threads more busy,
but setting it too high will lead to degradation.
Suggested setting: 10000 or higher. Max is ~65000. This setting is per thread.
The memory is set up at start and the usage is as follows:
::
number_of.threads X max-pending-packets X (default-packet-size + ~750 bytes)
mpm-algo: <ac|hs|ac-bs|ac-ks>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Controls the pattern matcher algorithm. AC (``Aho–Corasick``) is the default.
On supported platforms, :doc:`hyperscan` is the best option. On commodity
hardware if Hyperscan is not available the suggested setting is
``mpm-algo: ac-ks`` (``Aho–Corasick`` Ken Steele variant) as it performs better than
``mpm-algo: ac``
detect.profile: <low|medium|high|custom>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The detection engine tries to split out separate signatures into
groups so that a packet is only inspected against signatures that can
actually match. As in large rule set this would result in way too many
groups and memory usage similar groups are merged together. The
profile setting controls how aggressive this merging is done. The default
setting of ``high`` usually is good enough.
The "custom" setting allows modification of the group sizes:
::
custom-values:
toclient-groups: 100
toserver-groups: 100
In general, increasing will improve performance. It will lead to minimal
increase in memory usage.
The default value for ``toclient-groups`` and ``toserver-groups`` with
``detect.profile: high`` is 75.
detect.sgh-mpm-context: <auto|single|full>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The multi pattern matcher can have it's context per signature group
(full) or globally (single). Auto selects between single and full
based on the **mpm-algo** selected. ac, ac-bs, ac-ks, hs default to "single".
Setting this to "full" with ``mpm-algo: ac`` or ``mpm-algo: ac-ks`` offers
better performance. Setting this to "full" with ``mpm-algo: hs`` is not
recommended as it leads to much higher startup time. Instead with Hyperscan
either ``detect.profile: high`` or bigger custom group size settings can be
used as explained above which offers better performance than ``ac`` and
``ac-ks`` even with ``detect.sgh-mpm-context: full``.
af-packet
~~~~~~~~~
If using ``af-packet`` (default on Linux) it is recommended that af-packet v3
is used for IDS/NSM deployments. For IPS it is recommended af-packet v2. To make
sure af-packet v3 is used it can specifically be enforced it in the
``af-packet`` config section of suricata.yaml like so:
::
af-packet:
- interface: eth0
....
....
....
use-mmap: yes
tpacket-v3: yes
ring-size
~~~~~~~~~
Ring-size is another ``af-packet`` variable that can be considered for tuning
and performance benefits. It basically means the buffer size for packets per
thread. So if the setting is ``ring-size: 100000`` like below:
::
af-packet:
- interface: eth0
threads: 5
ring-size: 100000
it means there will be 100,000 packets allowed in each buffer of the 5 threads.
If any of the buffers gets filled (for example packet processing can not keep up)
that will result in packet ``drop`` counters increasing in the stats logs.
The memory used for those is set up and dedicated at start and is calculated
as follows:
::
af-packet.threads X af-packet.ring-size X (default-packet-size + ~750 bytes)
where ``af-packet.threads``, ``af-packet.ring-size``, ``default-packet-size``
are the values set in suricata.yaml. Config values for example for af-packet
could be quickly displayed with on the command line as well with
``suricata --dump-config |grep af-packet``.
stream.bypass
~~~~~~~~~~~~~
Another option that can be used to improve performance is ``stream.bypass``.
In the example below:
::
stream:
memcap: 64mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
bypass: yes
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
Inspection will be skipped when ``stream.reassembly.depth`` of 1mb is reached for a particular flow.
|
