Ring-size suricata.yaml

Nuno_Santos · April 25, 2021, 8:02pm

Hi!

How can i choose the best ring-size for my configuration?

What are the best practices and metrics to determine that value?

Jeff_Lucovsky · April 26, 2021, 12:50pm

Could you give some information on your Suricata setup? What packet acquisition mode are you using? What is the expected traffic ingest rate? IDS or IPS?

These, and other deployment details provide a more complete context for the intended usage and goals.

Thanks

Nuno_Santos · April 26, 2021, 1:02pm

Hi. Thanks for your reply.

So my packet acquisition mode is af-packet in IDS mode.

I am sniffing traffic from 2 mirrored interfaces. The ingest rate of both of them is shown on the screenshots below.

These are two gigabit Broadcom network interfaces.

Screenshot 2021-04-26 at 13.58.42

Jeff_Lucovsky · April 26, 2021, 1:36pm

We have some general advice here: 9.3. Tuning Considerations — Suricata 6.0.2 documentation

The ring size should be “big enough” but no bigger than necessary to handle the traffic. Larger ring buffers can cause more latency but are sometimes necessary to handle traffic bursts.

You can experiment with different ring buffer sizes — if there are no packet drops, the ring buffer size may not need adjustment.

Topic		Replies	Views
Suricata PF_RING in IPS mode Help	3	790	August 7, 2020
Can Suricata-IDS consume the original packet instead of working on the packet copy Help	10	1713	October 21, 2020
Suricata in AF_PACKET mode creates an inifinite loop Help ips , suricata	5	513	November 2, 2023
A question about choosing a network card Help	6	214	October 3, 2023
Suricata Configuration for IPS and IDS Mode Help ips	10	6177	April 29, 2020

Ring-size suricata.yaml

Related Topics