Feature #1348
open
OOBE -6- increasing max-pending-packets default value
Added by Peter Manev almost 10 years ago.
Updated about 4 years ago.
Description
This is part of OOBE tickets line.
Out Of the Box Experience(OOBE) is aimed at providing better defaults values in suricata.yaml
single: 128
workers: 4096
autofp: 32768 (or maybe 2048 * thread cnt)
cuda: 64k
- Assignee set to OISF Dev
- Target version set to 70
any thoughts what we should use nowadays?
- Status changed from New to Feedback
- Assignee changed from OISF Dev to Peter Manev
Could we make it based on some other values so it will be calculated?
Think it makes sense to base it on number of threads somehow.
I looked into that but couldn't find a proper way. One idea is to change the value to be per-thread but would brake too much.
Is there a value you think that would be safe to just use as a new default value?
The value is currently already per thread.
The challenge here is that we also need to be cautious as to for the situations where Suricata is run on very small devices. In those cases we would also want to offer good experience right out if the box.
I have been going back and forth (internally :) ) quite a few times on this. It seems it might be better to offer some sort of quick "perf guide" where a user can just adjust a few basic settings without needing to dive into advanced tuning.
Well if someone is running suricata on a small device like raspi I would expect some knowledge/time to tune it. I would expect the default to match a "normal" system. I would suggest 32k or 64k as that shouldn't really have a huge impact right?
Well it is a good point what is a "normal" system and "normal" traffic? :)
I would say going to 4/8 x times the current default should be ok though. Think it would still keep it all under .5G ram
- Target version changed from 70 to TBD
Also available in: Atom
PDF