sosetup: Production Mode should automatically configure PF_RING instances based on number of CPU cores

[dougburks]

No description provided.

[weslambert]

Should this be done for Best Practices? Also, for Advanced Setup (Custom), should this be an option (whether or not to configure based on the number of cores)? I would think that the Custom mode/option should allow for more configuration options rather than automatically configuring the number of PR_RING instances--I would think this would be reserved for cases where individuals being introduced to Security Onion may not necessarily be privy to why they would need to configure a greater number of PR_RING instances, but would benefit from the automatic optimization.

Thanks,
Wes

[dougburks]

Yes:

Choosing "Production Mode" and then "Best Practices" should result in automatically configuring PF_RING instances based on number of CPU cores.

Choosing "Production Mode" and then "Custom" should allow the user to set their own number of PF_RING instances. Although it might be nice to suggest a number to the user.

[dougburks]

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/MLmpJoGgekU/discussion

[dougburks]

published:
http://blog.securityonion.net/2016/03/securityonion-setup-20120912.html

[Lee232]

Hi Guys
Just installed the new version of Security Onion and set up with custom, but it didn’t ask me how many cores for Snort or Bro I would like to use. Is this what should happen?

[weslambert]

If you choose "Best Practices", then Security Onion will configure this
based on the number of available CPU cores. Otherwise, "Custom" should
recommend the number of cores to be used.

Thanks,
Wes
On Apr 5, 2016 10:17 PM, "Lee232" notifications@github.com wrote:

Hi Guys
Just installed the new version of Security Onion and set up with custom,
but it didn’t ask me how many cores for Snort or Bro I would like to use.
Is this what should happen?

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#735 (comment)

[Lee232]

Yep, I know this.
The new version 14.04.4.1 didn’t ask me how many cores. My question was should this be the case during the custom install is there something up.

[weslambert]

If you are sure you experienced this, could you please post the exact
steps/configuration options that led you to this?

Thanks,
Wes
On Apr 5, 2016 10:22 PM, "Wes Lambert" wlambertts@gmail.com wrote:

If you choose "Best Practices", then Security Onion will configure this
based on the number of available CPU cores. Otherwise, "Custom" should
recommend the number of cores to be used.

Thanks,
Wes
On Apr 5, 2016 10:17 PM, "Lee232" notifications@github.com wrote:

Hi Guys
Just installed the new version of Security Onion and set up with custom,
but it didn’t ask me how many cores for Snort or Bro I would like to use.
Is this what should happen?

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#735 (comment)

[Lee232]

Yes I am sure of this. I have just gone through it again. I simply went through the setup and enabled IDS and Bro and had nothing about how many cores I want to use.
The previous version asked me to choose.

[weslambert]

Did setup successfully complete? Were you installing a sensor or a standalone? Did you install using the ISO or the PPA?

Also, please continue this discussion by posting your question here:
https://groups.google.com/forum/#!forum/security-onion

Thanks,
Wes

[weslambert]

I forgot, if you have 4 cores or fewer, configuration will happen like this (to avoid overworking the box):

-1 core reserved for netsniff-ng for each configured sniffing interface
-1 core reserved for OS

Remaining cores will be split up for IDS/Bro:
-1 core for IDS
-1 core for Bro

For a machine with 8 cores, Custom configuration should configure the machine as follows:
-1 core reserved for netsniff-ng for each configured sniffing interface
-1 core reserved for OS

Remaining number of cores available for use with IDS/BRO:
If you have one sniffing interface, then it would be allowed to be configured as follows:
-3 cores available for IDS--Will provide recommendation, and allow you to choose # of cores (up to 3).
-3 cores available for Bro -Will provide recommendation, and allow you to choose # of cores (up to 3).

If you have 2 sniffing interfaces, for an 8 core box you would get the following:

-1 core reserved for netsniff-ng for each configured sniffing interface (2)
-1 core reserved for OS

Remaining number of cores split for use between IDS/BRO:

-2 cores available for IDS - Will provide recommendation, and allow you to choose # of cores (up to 2).
-2 cores available for Bro - Will provide recommendation, and allow you to choose # of cores (up to 2).

I hope this sheds some light on why the setup acts the way it does.

I'm assuming you're experiencing this behavior because your machine is using 4 or fewer CPU cores.

Thanks,
Wes

[Lee232]

Hi Wes
Yes it has 4 cores. Cool so that is what is going on.
So I went back to version 14.04.3.1 and I was able to select the cores.
Thanks for the info.
Rgds
Lee

[dougburks]

You can always modify this after Setup:
https://github.com/Security-Onion-Solutions/security-onion/wiki/PF_RING

If you have further questions or problems, please use our mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!