aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: improve tuning/perf docs

Browse Source
pull/2304/head
Victor Julien 9 years ago
parent c7c8de7d59
commit 99d5bf4e68
3 changed files with 25 additions and 84 deletions
Show Stats Download Patch File Download Diff File

73
doc/userguide/performance/high-performance-config.rst
Unescape Escape View File

@ -1,72 +1,19 @@
High Performance Configuration High Performance Configuration
============================== ==============================
If you have enough RAM, consider the following options in If you have enough RAM, consider the following options in suricata.yaml to off-load as much work from the CPU's as possible:
suricata.yaml to off-load as much work from the CPU's as possible:
:: ::
detect-engine: detect:
- profile: custom profile: custom
- custom-values: custom-values:
toclient-src-groups: 200 toclient-groups: 200
toclient-dst-groups: 200 toserver-groups: 200
toclient-sp-groups: 200 sgh-mpm-context: auto
toclient-dp-groups: 300 inspection-recursion-limit: 3000
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 200
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
Be advised, however, that this will require >= 32 GB of RAM for even Be advised, however, that this may require lots of RAM for even modestly sized rule sets. Also be aware that having additional CPU's available provides a greater performance boost than having more RAM available. That is, it would be better to spend money on CPU's instead of RAM when configuring a system.
modestly sized rule sets. Also be aware that having additional CPU's
available provides a greater performance boost than having more RAM
available. That is, it would be better to spend money on CPU's
instead of RAM when configuring a system.
As a rough benchmark, in an HTTP-rich traffic stream, the full It may also lead to significantly longer rule loading times.
Emerging Threats rule set will require roughly one CPU per 50 Mb/sec
of traffic when using "low" memory settings and using PF_RING to
ensure there are no traffic drops.
Here are the build in values for LOW/MEDIUM/HIGH profiles:
::
ENGINE_PROFILE_LOW:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
ENGINE_PROFILE_HIGH:
toclient-src-groups: 15
toclient-dst-groups: 15
toclient-sp-groups: 15
toclient-dp-groups: 20
toserver-src-groups: 15
toserver-dst-groups: 15
toserver-sp-groups: 15
toserver-dp-groups: 40
If not provided:
::
default and MEDIUM profiles:
toclient-src-groups: 4
toclient-dst-groups: 4
toclient-sp-groups: 4
toclient-dp-groups: 6
toserver-src-groups: 4
toserver-dst-groups: 8
toserver-sp-groups: 4
toserver-dp-groups: 30

10
doc/userguide/performance/index.rst
Unescape Escape View File

@ -3,13 +3,13 @@ Performance
.. toctree:: .. toctree::
high-performance-config runmodes
packet-capture
tuning-considerations tuning-considerations
hyperscan
high-performance-config
statistics statistics
ignoring-traffic
packet-profiling packet-profiling
rule-profiling rule-profiling
runmodes
tcmalloc tcmalloc
ignoring-traffic
hyperscan
packet-capture

26
doc/userguide/performance/tuning-considerations.rst
Unescape Escape View File

@ -12,13 +12,12 @@ but setting it too high will lead to degradation.
Suggested setting: 1000 or higher. Max is ~65000. Suggested setting: 1000 or higher. Max is ~65000.
mpm-algo: <ac|ac-gfbs|ac-bs|b2g|b3g|wumanber> mpm-algo: <ac|hs|ac-bs|ac-ks>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Controls the pattern matcher algorithm. AC is the default and best Controls the pattern matcher algorithm. AC is the default. On supported platforms, :doc:`performance/hyperscan` is the best option.
choice for most if not all cases.
detect-engine.profile: <low|medium|high|custom> detect.profile: <low|medium|high|custom>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The detection engine tries to split out separate signatures into The detection engine tries to split out separate signatures into
@ -32,24 +31,19 @@ The "custom" setting allows modification of the group sizes:
:: ::
- custom-values: custom-values:
toclient-src-groups: 2 toclient-groups: 50
toclient-dst-groups: 2 toserver-groups: 50
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
In general, increasing will improve performance, but will lead to In general, increasing will improve performance, but will lead to
higher memory usage. higher memory usage.
detect-engine.sgh-mpm-context: <auto|single|full> detect.sgh-mpm-context: <auto|single|full>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The multi pattern matcher can have it's context per signature group The multi pattern matcher can have it's context per signature group
(full) or globally (single). Auto selects between single and full (full) or globally (single). Auto selects between single and full
based on the **mpm-algo** selected. ac, ac-gfbs and ac-bs use based on the **mpm-algo** selected. ac and ac-bs use "single".
"single". All others "full". Setting this to "full" with AC requires a All others "full". Setting this to "full" with AC requires a
lot of memory: 32GB+ for a reasonable rule set. lot of memory: 32GB+ for a reasonable rule set.

Write Preview
Loading…
Cancel
Save