-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c7c8de7
commit 99d5bf4
Showing
3 changed files
with
25 additions
and
84 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,72 +1,19 @@ | ||
High Performance Configuration | ||
============================== | ||
|
||
If you have enough RAM, consider the following options in | ||
suricata.yaml to off-load as much work from the CPU's as possible: | ||
If you have enough RAM, consider the following options in suricata.yaml to off-load as much work from the CPU's as possible: | ||
|
||
:: | ||
|
||
detect-engine: | ||
- profile: custom | ||
- custom-values: | ||
toclient-src-groups: 200 | ||
toclient-dst-groups: 200 | ||
toclient-sp-groups: 200 | ||
toclient-dp-groups: 300 | ||
toserver-src-groups: 200 | ||
toserver-dst-groups: 400 | ||
toserver-sp-groups: 200 | ||
toserver-dp-groups: 200 | ||
- sgh-mpm-context: auto | ||
- inspection-recursion-limit: 3000 | ||
detect: | ||
profile: custom | ||
custom-values: | ||
toclient-groups: 200 | ||
toserver-groups: 200 | ||
sgh-mpm-context: auto | ||
inspection-recursion-limit: 3000 | ||
|
||
Be advised, however, that this will require >= 32 GB of RAM for even | ||
modestly sized rule sets. Also be aware that having additional CPU's | ||
available provides a greater performance boost than having more RAM | ||
available. That is, it would be better to spend money on CPU's | ||
instead of RAM when configuring a system. | ||
Be advised, however, that this may require lots of RAM for even modestly sized rule sets. Also be aware that having additional CPU's available provides a greater performance boost than having more RAM available. That is, it would be better to spend money on CPU's instead of RAM when configuring a system. | ||
|
||
As a rough benchmark, in an HTTP-rich traffic stream, the full | ||
Emerging Threats rule set will require roughly one CPU per 50 Mb/sec | ||
of traffic when using "low" memory settings and using PF_RING to | ||
ensure there are no traffic drops. | ||
It may also lead to significantly longer rule loading times. | ||
|
||
Here are the build in values for LOW/MEDIUM/HIGH profiles: | ||
|
||
:: | ||
|
||
|
||
ENGINE_PROFILE_LOW: | ||
toclient-src-groups: 2 | ||
toclient-dst-groups: 2 | ||
toclient-sp-groups: 2 | ||
toclient-dp-groups: 3 | ||
toserver-src-groups: 2 | ||
toserver-dst-groups: 4 | ||
toserver-sp-groups: 2 | ||
toserver-dp-groups: 25 | ||
|
||
ENGINE_PROFILE_HIGH: | ||
toclient-src-groups: 15 | ||
toclient-dst-groups: 15 | ||
toclient-sp-groups: 15 | ||
toclient-dp-groups: 20 | ||
toserver-src-groups: 15 | ||
toserver-dst-groups: 15 | ||
toserver-sp-groups: 15 | ||
toserver-dp-groups: 40 | ||
|
||
If not provided: | ||
|
||
:: | ||
|
||
|
||
default and MEDIUM profiles: | ||
toclient-src-groups: 4 | ||
toclient-dst-groups: 4 | ||
toclient-sp-groups: 4 | ||
toclient-dp-groups: 6 | ||
toserver-src-groups: 4 | ||
toserver-dst-groups: 8 | ||
toserver-sp-groups: 4 | ||
toserver-dp-groups: 30 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters