Give Suricata Engine more RAM

[ArminF]

Hello,
my box feels boring and has a lot of free memory.
So i thought to give DNS and Suricata more memory.

But there is no system tune option or settings on the GUI.

Is it possible to set more RAM to Suricata?

thanks
armin

[siga75]

conf file say

# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
# The hash-size determine the size of the hash used to identify flows inside
# the engine, and by default the value is 65536.
# At the startup, the engine can preallocate a number of flows, to get a better
# performance. The number of flows preallocated is 10000 by default.
# emergency-recovery is the percentage of flows that the engine need to
# prune before unsetting the emergency state. The emergency state is activated
# when the memcap limit is reached, allowing to create new flows, but
# prunning them with the emergency timeouts (they are defined below).
# If the memcap is reached, the engine will try to prune flows
# with the default timeouts. If it doens't find a flow to prune, it will set
# the emergency bit and it will try again with more agressive timeouts.
# If that doesn't work, then it will try to kill the last time seen flows
# not in use.
# The memcap can be specified in kb, mb, gb.  Just a number indicates it's
# in bytes.

flow:
  memcap: 64mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30


So I guess if you don't see messages on the logs indicating you reached the memcap, then you don't need more RAM. Suricata is probably only CPU intensive, RAM should not be a big issue

[ArminF]

Siga,

thank you very much.
No i do not see any message of reaching the memcap.

Can you give me the location of the config file?
And would the settings be changed there and would they be reboot consistent?

thank you
A

[siga75]

I am not an expert but it should be persistent to reboot, not to an update probably

config file: /usr/local/etc/suricata/suricata.yaml


root@myfw:~ # ps aux | grep suri
root          30263   0.2  3.2 2279032  529764  -  Ss   15Feb20   166:52.64 /usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml

[ArminF]

Excellent, thank you very much Siga!

[ArminF]

Just found this as well. As soon as you know what you looking you usually find more

https://forum.opnsense.org/index.php?topic=13445.0

[siga75]

cool

let us know if you see some benefit, in such case a WUI conf would be nice to have

[ArminF]

So, first attempt was not better than the default.
As you wrote just changing the RAM does not make a difference.
Have to tune on more variables and therefore read more.

Details/Results:
WAN is 250 mbit down / 25 up
CPU intel i3 4100 / 1.8 GHZ
Promiscuous ON
Full Rulesets 47168 set to DROP except P2P


Speedtest default config
Destination Solnet -> 238/24 mbit  -> lost 12 mbit
CPU peak max 45%
RAM 1500 MB



Speedtest “tuned” config
Destination Solnet -> 230/24 mbit --> lost 20mbit
CPU peak max 45%
RAM 1500 MB


No RAM change…
back to default settings…

changes:
File Location
/usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml
/usr/local/etc/suricata/suricata.yaml


Default Settings

defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60


flow:
  memcap: 64mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30


stream:
  memcap: 32mb
  checksum-validation: yes      # reject wrong csums
  inline: {% if OPNsense.IDS.general.ips|default(“0”) == “1” %}true{% else %}auto{% endif %}

  reassembly:
    memcap: 128mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes

Tuned Settings

defrag:
  memcap: 512mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60


flow:
  memcap: 1gb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30


stream:
  memcap: 512mb
  checksum-validation: yes      # reject wrong csums
  inline: {% if OPNsense.IDS.general.ips|default(“0”) == “1” %}true{% else %}auto{% endif %}

  reassembly:
    memcap: 2gb
    depth: 2mb                  # reassemble 2mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes