This repository was archived by the owner on Apr 16, 2021. It is now read-only.
This repository was archived by the owner on Apr 16, 2021. It is now read-only.
Set Suricata runmode to autofp #242
Description
VictorJ
securityonion, while doing changes, please change your default "runmode" to
autofp
9:38
VictorJ
it scales better
9:38
securityonion
Is that configurable on the command-line, or only in the config file?
9:38
VictorJ
both
--runmode=autofp
9:39
securityonion
sudo suricata --user sguil --group sguil -c /etc/nsm/qa-eth0/suricata.yaml -i
eth0 --runmode=autofp -F /etc/nsm/qa-eth0/bpf.conf -l /nsm/sensor_data/qa-eth0
Like that? Any other changes?
I did read about the autofp performance enhancements. But are they in 1.2.1
RELEASE?
9:43
VictorJ
no, but I think it should still be better
okay, very quickly tested seco in my vm
afpacket+autofp performed best
pcap+autofp worst
pcap+auto was better than pcap+autofp, but worse than afpacket+autofp
htop
whoops
vm has 2 cores
obviously, ymmv
9:46
securityonion
OK, so now you're telling me that I should stick with afpacket and enable
autofp (and wait for afpacket to support bpf)?
ymmv, I understand
9:48
VictorJ
9:48
thats what my totally not significant VM based little test appeared to show
Regit
VictorJ: cool I did not work for nothing
does a little victory dance
9:53
VictorJ
better than a victor dance
I can assure you
9:53
securityonion
LOL
OK, so I'm gonna go with this:
suricata --user sguil --group sguil -c /etc/nsm/qa-eth0/suricata.yaml
--af-packet=eth0 --runmode=autofp -F /etc/nsm/qa-eth0/bpf.conf -l
/nsm/sensor_data/qa-eth0
9:56
with a note that bpf won't work right now
Original issue reported on code.google.com by doug.bu...@gmail.com on 28 Mar 2012 at 2:05