OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: ArminF on September 21, 2020, 10:21:24 pm
-
PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
82280 root 103 0 2445M 1374M CPU5 5 5:33 99.54% suricata
11 root 155 ki31 0 128K CPU7 7 13:23 99.35% idle{idle: cpu7}
11 root 155 ki31 0 128K CPU6 6 23:15 98.92% idle{idle: cpu6}
11 root 155 ki31 0 128K CPU1 1 22:30 98.60% idle{idle: cpu1}
11 root 155 ki31 0 128K CPU2 2 23:39 98.12% idle{idle: cpu2}
11 root 155 ki31 0 128K CPU3 3 23:06 85.31% idle{idle: cpu3}
11 root 155 ki31 0 128K RUN 5 23:09 80.96% idle{idle: cpu5}
11 root 155 ki31 0 128K RUN 0 23:01 79.04% idle{idle: cpu0}
11 root 155 ki31 0 128K CPU4 4 23:31 51.85% idle{idle: cpu4}
Well, i enabled suricata on my WAN and DMZ interfaces. LAN has Sensei running.
Took some speedtest and was pretty shocked.
Lost 70 Mbit with Suricata turned on. Got 180 from 250 mbit down. The upload kept the same.
So i checked on the console whats happening and saw that Suricata uses a single core out of 8.
Can this be somehow spread to serveral cores?
thank you
armin
-
Found this explanation but not quite sure where to set what to get more out of 8 cores.
https://suricata.readthedocs.io/en/suricata-5.0.3/configuration/suricata-yaml.html
-----------------------------------------
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
-----------------------------------------
Runmode AutoFp:
management-cpu-set - used for management (example - flow.managers, flow.recyclers)
receive-cpu-set - used for receive and decode
worker-cpu-set - used for streamtcp,detect,output(logging)
verdict-cpu-set - used for verdict and respond/reject
Runmode Workers:
management-cpu-set - used for management (example - flow.managers, flow.recyclers)
worker-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject, verdict
-----------------------------------------
Would it makes sense to set the mode to autofp and spread the work out to several dedicated cores?
As far i understood worker mode would bundle the work into single cores.
Or in worker mode to dedicate a core for management and exclude this from the workers cores?
thanks
armin
-
Did you try to add this in config file and restart from console to see if it fixes it?
I did a quick test on a 8 core system and I had 170% CPU usage for the process, so it should be fine I'd guess.
-
Morning,
the pasted config is the default from suricata which i compared to the opnsense one.
maybe i am looking wrong. But from the top i see only cpu 5 used. So i asked myself if this could be configured to use all 8 cores "somehow"... I am not an expert.
As far i understood suricata on opnsense runs in worker mode. Maybe this would help to spread out the work
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- worker-cpu-set:
cpu: [ "all" ] ---> exclude cpu 0 set to 1-6
mode: "exclusive" --> not sure here i another option called ballanced
or set to autofp and then spread the work to every cpu
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings --> 1 - 2 CPUs
- worker-cpu-set:
cpu: [ "all" ] --> 3 - 5 CPUs
mode: "exclusive"
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ] --> 6 - 7 CPUs
prio:
default: "high"
Not sure if this would help.
How do you read this settings?
thanks!
A