Project

General

Profile

Actions

Feature #1348

open

OOBE -6- increasing max-pending-packets default value

Added by Peter Manev almost 10 years ago. Updated about 4 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

This is part of OOBE tickets line.
Out Of the Box Experience(OOBE) is aimed at providing better defaults values in suricata.yaml

single: 128
workers: 4096
autofp: 32768 (or maybe 2048 * thread cnt)
cuda: 64k
Actions #1

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
  • Target version set to 70
Actions #2

Updated by Andreas Herz over 5 years ago

any thoughts what we should use nowadays?

Actions #3

Updated by Victor Julien over 5 years ago

  • Status changed from New to Feedback
  • Assignee changed from OISF Dev to Peter Manev
Actions #4

Updated by Andreas Herz over 5 years ago

Could we make it based on some other values so it will be calculated?

Actions #5

Updated by Peter Manev over 5 years ago

Think it makes sense to base it on number of threads somehow.

Actions #6

Updated by Andreas Herz about 5 years ago

I looked into that but couldn't find a proper way. One idea is to change the value to be per-thread but would brake too much.
Is there a value you think that would be safe to just use as a new default value?

Actions #7

Updated by Victor Julien about 5 years ago

The value is currently already per thread.

Actions #8

Updated by Peter Manev about 5 years ago

The challenge here is that we also need to be cautious as to for the situations where Suricata is run on very small devices. In those cases we would also want to offer good experience right out if the box.

I have been going back and forth (internally :) ) quite a few times on this. It seems it might be better to offer some sort of quick "perf guide" where a user can just adjust a few basic settings without needing to dive into advanced tuning.

Actions #9

Updated by Andreas Herz about 5 years ago

Well if someone is running suricata on a small device like raspi I would expect some knowledge/time to tune it. I would expect the default to match a "normal" system. I would suggest 32k or 64k as that shouldn't really have a huge impact right?

Actions #10

Updated by Peter Manev about 5 years ago

Well it is a good point what is a "normal" system and "normal" traffic? :)
I would say going to 4/8 x times the current default should be ok though. Think it would still keep it all under .5G ram

Actions #11

Updated by Victor Julien about 4 years ago

  • Target version changed from 70 to TBD
Actions

Also available in: Atom PDF