11.3. Tuning Considerations

Settings to check for optimal performance.

11.3.1. max-pending-packets: <number>

This setting controls the number simultaneous packets that the engine can handle. Setting this higher generally keeps the threads more busy, but setting it too high will lead to degradation.

Suggested setting: 10000 or higher. Max is ~65000. This setting is per thread. The memory is set up at start and the usage is as follows:

number_of.threads X max-pending-packets X (default-packet-size + ~750 bytes)

11.3.2. mpm-algo: <ac|hs|ac-bs|ac-ks>

Controls the pattern matcher algorithm. AC (Aho–Corasick) is the default. On supported platforms, Hyperscan is the best option. On commodity hardware if Hyperscan is not available the suggested setting is mpm-algo: ac-ks (Aho–Corasick Ken Steele variant) as it performs better than mpm-algo: ac

11.3.3. detect.profile: <low|medium|high|custom>

The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together. The profile setting controls how aggressive this merging is done. The default setting of high usually is good enough.

The "custom" setting allows modification of the group sizes:

custom-values:
  toclient-groups: 100
  toserver-groups: 100

In general, increasing will improve performance. It will lead to minimal increase in memory usage. The default value for toclient-groups and toserver-groups with detect.profile: high is 75.

11.3.4. detect.sgh-mpm-context: <auto|single|full>

The multi pattern matcher can have it's context per signature group (full) or globally (single). Auto selects between single and full based on the mpm-algo selected. ac, ac-bs, ac-ks, hs default to "single". Setting this to "full" with mpm-algo: ac or mpm-algo: ac-ks offers better performance. Setting this to "full" with mpm-algo: hs is not recommended as it leads to much higher startup time. Instead with Hyperscan either detect.profile: high or bigger custom group size settings can be used as explained above which offers better performance than ac and ac-ks even with detect.sgh-mpm-context: full.

11.3.5. af-packet

If using af-packet (default on Linux) it is recommended that af-packet v3 is used for IDS/NSM deployments. For IPS it is recommended af-packet v2. To make sure af-packet v3 is used it can specifically be enforced it in the af-packet config section of suricata.yaml like so:

af-packet:
 - interface: eth0
   ....
   ....
   ....
   use-mmap: yes
   tpacket-v3: yes

11.3.6. ring-size

Ring-size is another af-packet variable that can be considered for tuning and performance benefits. It basically means the buffer size for packets per thread. So if the setting is ring-size: 100000 like below:

af-packet:
 - interface: eth0
   threads: 5
   ring-size: 100000

it means there will be 100,000 packets allowed in each buffer of the 5 threads. If any of the buffers gets filled (for example packet processing can not keep up) that will result in packet drop counters increasing in the stats logs.

The memory used for those is set up and dedicated at start and is calculated as follows:

af-packet.threads X af-packet.ring-size X (default-packet-size + ~750 bytes)

where af-packet.threads, af-packet.ring-size, default-packet-size are the values set in suricata.yaml. Config values for example for af-packet could be quickly displayed with on the command line as well with suricata --dump-config |grep af-packet.

11.3.7. stream.bypass

Another option that can be used to improve performance is stream.bypass. In the example below:

stream:
 memcap: 64mb
 checksum-validation: yes      # reject wrong csums
 inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
 bypass: yes
 reassembly:
   memcap: 256mb
   depth: 1mb                  # reassemble 1mb into a stream
   toserver-chunk-size: 2560
   toclient-chunk-size: 2560
   randomize-chunk-size: yes

Inspection will be skipped when stream.reassembly.depth of 1mb is reached for a particular flow.