Project

General

Profile


This documentation is no longer maintained and exists for historical purposes. The current documentation is located at http://suricata.readthedocs.io/.


High Performance Configuration

If you have enough RAM, consider the following options in suricata.yaml to off-load as much work from the CPU's as possible:

detect-engine:
  - profile: medium
  - custom-values:
      toclient-src-groups: 200
      toclient-dst-groups: 200
      toclient-sp-groups: 200
      toclient-dp-groups: 300
      toserver-src-groups: 200
      toserver-dst-groups: 400
      toserver-sp-groups: 200
      toserver-dp-groups: 200
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000

Be advised, however, that this will require >= 32 GB of RAM for even modestly sized rule sets. Also be aware that having additional CPU's available provides a greater performance boost than having more RAM available. That is, it would be better to spend money on CPU's instead of RAM when configuring a system.

As a rough benchmark, in an HTTP-rich traffic stream, the full Emerging Threats rule set will require roughly one CPU per 50 Mb/sec of traffic when using "low" memory settings and using PF_RING to ensure there are no traffic drops.

Here are the build in values for LOW/MEDIUM/HIGH profiles:

ENGINE_PROFILE_LOW:
      toclient-src-groups: 2
      toclient-dst-groups: 2
      toclient-sp-groups: 2
      toclient-dp-groups: 3
      toserver-src-groups: 2
      toserver-dst-groups: 4
      toserver-sp-groups: 2
      toserver-dp-groups: 25

ENGINE_PROFILE_HIGH:
      toclient-src-groups: 15
      toclient-dst-groups: 15
      toclient-sp-groups: 15
      toclient-dp-groups: 20
      toserver-src-groups: 15
      toserver-dst-groups: 15
      toserver-sp-groups: 15
      toserver-dp-groups: 40


If not provided:
default and MEDIUM profiles:
      toclient-src-groups: 4
      toclient-dst-groups: 4
      toclient-sp-groups: 4
      toclient-dp-groups: 6
      toserver-src-groups: 4
      toserver-dst-groups: 8
      toserver-sp-groups: 4
      toserver-dp-groups: 30

locked