Suricata - CPU Affinity - use more cores

[ArminF]

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
82280 root        103    0  2445M  1374M CPU5     5   5:33  99.54% suricata
   11 root        155 ki31      0   128K CPU7     7  13:23  99.35% idle{idle: cpu7}
   11 root        155 ki31      0   128K CPU6     6  23:15  98.92% idle{idle: cpu6}
   11 root        155 ki31      0   128K CPU1     1  22:30  98.60% idle{idle: cpu1}
   11 root        155 ki31      0   128K CPU2     2  23:39  98.12% idle{idle: cpu2}
   11 root        155 ki31      0   128K CPU3     3  23:06  85.31% idle{idle: cpu3}
   11 root        155 ki31      0   128K RUN      5  23:09  80.96% idle{idle: cpu5}
   11 root        155 ki31      0   128K RUN      0  23:01  79.04% idle{idle: cpu0}
   11 root        155 ki31      0   128K CPU4     4  23:31  51.85% idle{idle: cpu4}

Well, i enabled suricata on my WAN and DMZ interfaces.  LAN has Sensei running.
Took some speedtest and was pretty shocked.
Lost 70 Mbit with Suricata turned on. Got 180 from 250 mbit down. The upload kept the same.
So i checked on the console whats happening and saw that Suricata uses a single core out of 8.

Can this be somehow spread to serveral cores?

thank you
armin

[ArminF]

Found this explanation but not quite sure where to set what to get more out of 8 cores.
https://suricata.readthedocs.io/en/suricata-5.0.3/configuration/suricata-yaml.html
-----------------------------------------
set-cpu-affinity: no

cpu-affinity:
  - management-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - receive-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - worker-cpu-set:
      cpu: [ "all" ]
      mode: "exclusive"
      # Use explicitely 3 threads and don't compute number by using
      # detect-thread-ratio variable:
      # threads: 3
      prio:
        low: [ 0 ]
        medium: [ "1-2" ]
        high: [ 3 ]
        default: "medium"
  - verdict-cpu-set:
      cpu: [ 0 ]
      prio:
        default: "high"
-----------------------------------------

Runmode AutoFp:

management-cpu-set - used for management (example - flow.managers, flow.recyclers)
receive-cpu-set - used for receive and decode
worker-cpu-set - used for streamtcp,detect,output(logging)
verdict-cpu-set - used for verdict and respond/reject

Runmode Workers:

management-cpu-set - used for management (example - flow.managers, flow.recyclers)
worker-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject, verdict
-----------------------------------------

Would it makes sense to set the mode to autofp and spread the work out to several dedicated cores?
As far i understood worker mode would bundle the work into single cores.

Or in worker mode to dedicate a core for management and exclude this from the workers cores?

thanks
armin

[mimugmail]

Did you try to add this in config file and restart from console to see if it fixes it?
I did a quick test on a 8 core system and I had 170% CPU usage for the process, so it should be fine I'd guess.

[ArminF]

Morning,
the pasted config is the default from suricata which i compared to the opnsense one.

maybe i am looking wrong. But from the top i see only cpu 5 used. So i asked myself if this could be configured to use all 8 cores "somehow"... I am not an expert.

As far i understood suricata on opnsense runs in worker mode. Maybe this would help to spread out the work
cpu-affinity:
  - management-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - receive-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - worker-cpu-set:
      cpu: [ "all" ]   ---> exclude cpu 0 set to 1-6
      mode: "exclusive" --> not sure here i another option called ballanced

or set to autofp and then spread the work to every cpu

cpu-affinity:
  - management-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - receive-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings --> 1 - 2 CPUs
  - worker-cpu-set:
      cpu: [ "all" ] --> 3 - 5 CPUs
      mode: "exclusive"
      # Use explicitely 3 threads and don't compute number by using
      # detect-thread-ratio variable:
      # threads: 3
      prio:
        low: [ 0 ]
        medium: [ "1-2" ]
        high: [ 3 ]
        default: "medium"
  - verdict-cpu-set:
      cpu: [ 0 ]  --> 6 - 7 CPUs
      prio:
        default: "high"


Not sure if this would help.
How do you read this settings?

thanks!
A