Suricata – Flows, Flow Managers and effect on performance

As of Suricata 2.1beta1  – Suricata IDS/IPS provides the availability of high performance/advanced tuning for custom thread configuration for the IDS/IPS engine management threads.

Aka ..these

[27521] 20/7/2014 — 01:46:19 – (tm-threads.c:2206) <Notice>  (TmThreadWaitOnThreadInit) — all 16 packet processing threads, 3 management threads initialized, engine started.

These 3 management threads initialized above are flow manager (1), counter/stats related threads (2x)

So … in the default suricata.yaml setting we have:

flow:
  memcap: 64mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
  #managers: 1 # default to one flow manager
  #recyclers: 1 # default to one flow recycler thread

and we can choose accordingly of how many threads we would like to dedicate for the management tasks within the engine itself.
The recyclers threads offload part of the flow managers work and if enabled do flow/netflow logging.

Good !
What does this has to do with performance?

Suricata IDS/IPS is powerful, flexible and scalable – so be careful what you wish for.
The examples below demonstrate the effect on a 10Gbps Suricata IDS sensor.

Example 1

suricata.yaml config – >

flow:

  memcap: 1gb

  hash-size: 1048576

  prealloc: 1048576

  emergency-recovery: 30

  prune-flows: 50000

  managers: 2 # default is 1

CPU usage ->

So a 4 fold increase in memcap, 8 fold increase in prealloc and 15 fold increase on hash-size settings leads to about 3 fold increase in RAM consumption and 5 fold on CPU consumption  – in terms of flow management thread usage.

It would be very rare that you would need the settings in Example 2 – you need huge traffic for that…

So how would you know when to tune/adjust those settings in suricata.yaml? It is recommended that you always keep an eye on your stats.log and make sure you do not enter emergency clean up mode:

it should always be 0

Some additional reading on flows and flow managers –
http://blog.inliniac.net/2014/07/28/suricata-flow-logging/

Print Share Comment Cite Upload Translate

APA

() » Suricata – Flows, Flow Managers and effect on performance. Retrieved from https://www.truth.cx/2014/08/24/suricata-flows-flow-managers-and-effect-on-performance/.

MLA

" » Suricata – Flows, Flow Managers and effect on performance." - , https://www.truth.cx/2014/08/24/suricata-flows-flow-managers-and-effect-on-performance/

HARVARD

» Suricata – Flows, Flow Managers and effect on performance., viewed ,

VANCOUVER

- » Suricata – Flows, Flow Managers and effect on performance. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/08/24/suricata-flows-flow-managers-and-effect-on-performance/

CHICAGO

" » Suricata – Flows, Flow Managers and effect on performance." - Accessed . https://www.truth.cx/2014/08/24/suricata-flows-flow-managers-and-effect-on-performance/

IEEE

" » Suricata – Flows, Flow Managers and effect on performance." [Online]. Available: https://www.truth.cx/2014/08/24/suricata-flows-flow-managers-and-effect-on-performance/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <br /><br />As of Suricata 2.1beta1  - Suricata IDS/IPS provides the availability of high performance/advanced tuning for custom thread configuration for the IDS/IPS engine management threads.<br /><br />Aka ..these<br /><blockquote class="tr_bq">[27521] 20/7/2014 -- 01:46:19 - (tm-threads.c:2206) <Notice>  (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, <u><b>3 management threads initialized</b></u>, engine started.</blockquote><br /><br />These <u><b>3 management threads initialized</b></u> above are flow manager (1), counter/stats related threads (2x)<br /><br />So ... in the default suricata.yaml setting we have:<br /><blockquote class="tr_bq"><br />flow:<br />  memcap: 64mb<br />  hash-size: 65536<br />  prealloc: 10000<br />  emergency-recovery: 30<br />  #managers: 1 # default to one flow manager<br />  #recyclers: 1 # default to one flow recycler thread<br /><br /></blockquote>and we can choose accordingly of how many threads we would like to dedicate for the management tasks within the engine itself.<br />The recyclers threads offload part of the flow managers work and if enabled do flow/netflow logging. <br /><br />Good !<br />What does this has to do with performance?<br /><br />Suricata IDS/IPS is powerful, flexible and scalable - so be careful what you wish for.<br />The examples below demonstrate the effect on a 10Gbps Suricata IDS sensor.<br /><br /><h2>Example 1</h2><br />suricata.yaml config - ><br /><blockquote class="tr_bq"><div class="de2"><span class="co1">flow:</span></div><div class="de1"><span class="co1">  memcap: 1gb</span></div><div class="de2"><span class="co1">  hash-size: 1048576</span></div><div class="de1"><span class="co1">  prealloc: 1048576</span></div><div class="de2"><span class="co1">  emergency-recovery: 30</span></div><div class="de1"><span class="co1">  prune-flows: 50000</span></div><div class="de2"><span class="co1">  managers: 2 # default is 1</span></div></blockquote><br /><span class="co1">CPU usage -></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-AScr6P3LdYc/U_C-HliivYI/AAAAAAAAAh8/6O_yZLGsLGA/s1600/FlowMngr1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-AScr6P3LdYc/U_C-HliivYI/AAAAAAAAAh8/6O_yZLGsLGA/s1600/FlowMngr1.PNG" height="263" width="400" /></a></div><br /><div class="de2"><span class="co1"> 2 flow management threads use 8% CPU each</span><br /><br /><h2><span class="co1"> Example 2</span></h2></div><div class="de2"><br /></div><div class="de2"><br />suricata.yaml config - ><br /><blockquote class="tr_bq"><div class="de1"><span class="co4">flow</span>:</div><div class="de2"><span class="co3">  memcap</span><span class="sy2">: </span>4gb</div><div class="de1"><span class="co3">  hash-size</span><span class="sy2">: </span><span class="nu0">15728640</span></div><div class="de2"><span class="co3">  prealloc</span><span class="sy2">: </span><span class="nu0">8000000</span></div><div class="de1"><span class="co3">  emergency-recovery</span><span class="sy2">: </span><span class="nu0">30</span></div></blockquote><blockquote><span class="co3">  managers</span><span class="sy2">: </span><span class="nu0">2</span> <span class="co1"># default is 1</span></blockquote><br /><span class="co1"> CPU usage -></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-kTktXxYk-aQ/U_C-Hsk_CcI/AAAAAAAAAh4/U4Q26pxRgmc/s1600/FlowMngr2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kTktXxYk-aQ/U_C-Hsk_CcI/AAAAAAAAAh4/U4Q26pxRgmc/s1600/FlowMngr2.PNG" height="205" width="320" /></a></div><div class="de2"><br /></div><div class="de2"><span class="co1">2 flow management threads use 39% CPU each as compared to Example 1 !!</span></div><div class="de2"><span class="co1"><br /></span></div><br />So a 4 fold increase in memcap, 8 fold increase in prealloc and 15 fold increase on hash-size settings leads to about 3 fold increase in RAM consumption and 5 fold on CPU consumption  - in terms of <b>flow management thread</b> usage.<br /><br />It would be very rare that you would need the settings in Example 2 - you need huge traffic for that...<br /><br />So how would you know when to tune/adjust those settings in suricata.yaml? It is recommended that you always keep an eye on your <u><i><b>stats.log</b></i></u> and make sure you do not enter emergency clean up mode:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-kNUNBoItuxU/U_C-HiPDjHI/AAAAAAAAAh0/k1bfVoX3YCg/s1600/FlowEmergMode.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-kNUNBoItuxU/U_C-HiPDjHI/AAAAAAAAAh0/k1bfVoX3YCg/s1600/FlowEmergMode.PNG" height="175" width="400" /></a></div><br /><br />it should always be 0<br /><br />Some additional reading on flows and flow managers -<br /><a href="http://blog.inliniac.net/2014/07/28/suricata-flow-logging/" >http://blog.inliniac.net/2014/07/28/suricata-flow-logging/</a><br /><br /><br /><br /><br /> First name:

Last name: