Ring-size suricata.yaml


How can i choose the best ring-size for my configuration?

What are the best practices and metrics to determine that value?

Could you give some information on your Suricata setup? What packet acquisition mode are you using? What is the expected traffic ingest rate? IDS or IPS?

These, and other deployment details provide a more complete context for the intended usage and goals.


Hi. Thanks for your reply.

So my packet acquisition mode is af-packet in IDS mode.

I am sniffing traffic from 2 mirrored interfaces. The ingest rate of both of them is shown on the screenshots below.

These are two gigabit Broadcom network interfaces.

Screenshot 2021-04-26 at 13.58.42 Screenshot 2021-04-26 at 13.58.48

We have some general advice here: 9.3. Tuning Considerations — Suricata 6.0.2 documentation

The ring size should be “big enough” but no bigger than necessary to handle the traffic. Larger ring buffers can cause more latency but are sometimes necessary to handle traffic bursts.

You can experiment with different ring buffer sizes — if there are no packet drops, the ring buffer size may not need adjustment.

1 Like