Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- chromium 탐지
- 오탐
- IPS
- 재조합
- Reassembly
- 탐지
- isdataat
- dsize
- flowbits
- rule
- slowloris
- signatrue
- SSL
- sinature
- 수리카타
- 크롬 탐지
- IDS
- header dos
- HTTP2
- 암호화
- chrome 탐지
- TLS
- idps
- stream_size
- snort
- 미탐
- 시그니처
- DDOS
- stream buffer
- Suricata
Archives
- Today
- Total
linefilt
suricata performance according to CPU affinity 본문
CPU: E5-2620v4 (HT enabled), RAM: 48GB, Ethernet: Intel X540-T2
suricata 5.0.0-beta1, fedroa29 4.18.16-300
flow-timeout
tcp:
new: 5
established: 600
closed: 10
bypassed: 600
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
loaded rules
suricata.rules: 20498 signatures processed. 1227 are IP-only rules, 6384 are inspecting packet payload, 12564 inspect application layer, 103 are decoder event only
Pattern Matching
- hyperscan 5.1.1-1(MPM, SPM)
- sgh-mpm-context: single (profile high)
Logging
- enable stats.log (interval 10s), fast.logaf-packet:
- interface: ens4f0
threads: auto
defrag: yes
cluster-type: cluster_qm
cluster-id: 98
copy-mode: ips
copy-iface: ens4f1
ring-size: 500000
use-mmap: yes
use-emergency-flush: yes
- interface: ens4f1
threads: auto
defrag: yes
cluster-type: cluster_qm
cluster-id: 97
copy-mode: ips
copy-iface: ens4f0
ring-size: 500000
use-mmap: yes
use-emergency-flush: yes
Client - Server Connect directly: 9.41G achieved
단일 세션으로도 충분히 동일한 Throughput이 측정되지만, Mutli-Queue로 전반적으로 분배하기 위해 다중 세션을 사용한다.
Client: iperf3 -c $Server_IP -P 100 -t 30 -b 100M -p 80 -Z -N
Server: iperf3 -s -p 80
cat /proc/interrupts
CPU0 CPU1 CPU2 CPU3 CPU4 CPU5 CPU6 CPU7 CPU8 CPU9 CPU10 CPU11 CPU12 CPU13 CPU14 CPU15
0: 134 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IO-APIC 2-edge timer
8: 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 IO-APIC 8-edge rtc0
9: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IO-APIC 9-fasteoi acpi
18: 0 0 0 0 0 0 0 0 0 0 0 62 0 0 0 0 IO-APIC 18-fasteoi ehci_hcd:usb1, ehci_hcd:usb2, i801_smbus
25: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 16384-edge aerdrv, PCIe PME
26: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 18432-edge aerdrv, PCIe PME
28: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 32768-edge aerdrv, PCIe PME
29: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 36864-edge aerdrv, PCIe PME
31: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 49152-edge aerdrv, PCIe PME
32: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 458752-edge PCIe PME
33: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 462848-edge PCIe PME
34: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 464896-edge PCIe PME
35: 0 0 0 0 0 0 0 0 0 0 8564 0 0 0 0 0 PCI-MSI 512000-edge ahci[0000:00:1f.2]
36: 0 0 0 0 0 0 0 0 0 0 0 0 300 0 0 0 PCI-MSI 327680-edge xhci_hcd
37: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 97693 0 PCI-MSI 1572864-edge nvkm
38: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9 PCI-MSI 360448-edge mei_me
39: 2288 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 409600-edge enp0s25
42: 0 404 0 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 442368-edge snd_hda_intel:card1
43: 0 0 57 0 0 0 0 0 0 0 0 0 0 0 0 0 IO-APIC 12-fasteoi snd_hda_intel:card2
44: 11895896 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 PCI-MSI 2621440-edge ens4f0-TxRx-0
45: 0 12031681 0 0 0 0 0 0 0 0 0 0 0 0 1 0 PCI-MSI 2621441-edge ens4f0-TxRx-1
46: 0 0 12026722 0 0 0 0 0 0 0 0 0 0 0 0 1 PCI-MSI 2621442-edge ens4f0-TxRx-2
47: 1 0 0 11948032 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2621443-edge ens4f0-TxRx-3
48: 0 1 0 0 12107704 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2621444-edge ens4f0-TxRx-4
49: 0 0 1 0 0 12045697 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2621445-edge ens4f0-TxRx-5
50: 0 0 0 1 0 0 11969663 0 0 0 0 0 0 0 0 0 PCI-MSI 2621446-edge ens4f0-TxRx-6
51: 0 0 0 0 1 0 0 12009348 0 0 0 0 0 0 0 0 PCI-MSI 2621447-edge ens4f0-TxRx-7
52: 0 0 0 0 0 1 0 0 12088758 0 0 0 0 0 0 0 PCI-MSI 2621448-edge ens4f0-TxRx-8
53: 0 0 0 0 0 0 1 0 0 12003050 0 0 0 0 0 0 PCI-MSI 2621449-edge ens4f0-TxRx-9
54: 0 0 0 0 0 0 0 1 0 0 12074029 0 0 0 0 0 PCI-MSI 2621450-edge ens4f0-TxRx-10
55: 0 0 0 0 0 0 0 0 1 0 0 11924482 0 0 0 0 PCI-MSI 2621451-edge ens4f0-TxRx-11
56: 0 0 0 0 0 0 0 0 0 1 0 0 12097054 0 0 0 PCI-MSI 2621452-edge ens4f0-TxRx-12
57: 0 0 0 0 0 0 0 0 0 0 1 0 0 11991753 0 0 PCI-MSI 2621453-edge ens4f0-TxRx-13
58: 0 0 0 0 0 0 0 0 0 0 0 1 0 0 11987515 0 PCI-MSI 2621454-edge ens4f0-TxRx-14
59: 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 12104031 PCI-MSI 2621455-edge ens4f0-TxRx-15
60: 0 0 0 0 0 0 0 0 0 0 0 0 0 3 0 0 PCI-MSI 2621456-edge ens4f0
61: 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2097152-edge enp4s0
62: 2648 0 0 0 12 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2097153-edge enp4s0-TxRx-0
63: 6943 0 0 0 0 5 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2097154-edge enp4s0-TxRx-1
64: 2459 0 0 0 0 0 11 0 0 0 0 0 0 0 0 0 PCI-MSI 2097155-edge enp4s0-TxRx-2
65: 2397 0 0 0 0 0 0 5 0 0 0 0 0 0 0 0 PCI-MSI 2097156-edge enp4s0-TxRx-3
66: 3309072 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 PCI-MSI 2623488-edge ens4f1-TxRx-0
67: 0 3266233 0 0 0 0 0 0 0 0 0 0 0 0 0 1 PCI-MSI 2623489-edge ens4f1-TxRx-1
68: 1 0 3288511 0 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2623490-edge ens4f1-TxRx-2
69: 0 1 0 3286123 0 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2623491-edge ens4f1-TxRx-3
70: 0 0 1 0 3293016 0 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2623492-edge ens4f1-TxRx-4
71: 0 0 0 1 0 3294006 0 0 0 0 0 0 0 0 0 0 PCI-MSI 2623493-edge ens4f1-TxRx-5
72: 0 0 0 0 1 0 3270649 0 0 0 0 0 0 0 0 0 PCI-MSI 2623494-edge ens4f1-TxRx-6
73: 0 0 0 0 0 1 0 3275915 0 0 0 0 0 0 0 0 PCI-MSI 2623495-edge ens4f1-TxRx-7
74: 0 0 0 0 0 0 1 0 3290679 0 0 0 0 0 0 0 PCI-MSI 2623496-edge ens4f1-TxRx-8
75: 0 0 0 0 0 0 0 1 0 3198511 0 0 0 0 0 0 PCI-MSI 2623497-edge ens4f1-TxRx-9
76: 0 0 0 0 0 0 0 0 1 0 3330628 0 0 0 0 0 PCI-MSI 2623498-edge ens4f1-TxRx-10
77: 0 0 0 0 0 0 0 0 0 1 0 3329364 0 0 0 0 PCI-MSI 2623499-edge ens4f1-TxRx-11
78: 0 0 0 0 0 0 0 0 0 0 1 0 3300450 0 0 0 PCI-MSI 2623500-edge ens4f1-TxRx-12
79: 0 0 0 0 0 0 0 0 0 0 0 1 0 3324295 0 0 PCI-MSI 2623501-edge ens4f1-TxRx-13
80: 0 0 0 0 0 0 0 0 0 0 0 0 1 0 3264092 0 PCI-MSI 2623502-edge ens4f1-TxRx-14
81: 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 3276201 PCI-MSI 2623503-edge ens4f1-TxRx-15
82: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 PCI-MSI 2623504-edge ens4f1
이더넷을 제외하고 나머지 접근이 가장 빈번한 CPU 0과 14를 ens4f0과 ens4f1의 affinity에서 제외하고 남은 14개의 core를 set_irq_affinity 스크립트를 사용하여 MQ로 지정한다. set_irq_affinity 스크립트는 인텔 이더넷 드라이버 디렉터리에서 확인할 수 있다.
./set_irq_affinity 1-7,8-13,15 ens4f0
./set_irq_affinity 1-6,8-13,15 ens4f1시스템의 14개 Multi-Queue와 suricata의 worker 수를 동일하게 맞추어 측정하는 환경에서는(case 1, case 2) suricata.yaml에서 suricata cpu-affinity를 추가로 적용한다.
vi /etc/suricata/suricata.yaml
...
cpu-affinity:
- management-cpu-set:
cpu: [ 0,14 ] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: [ "1-7","8-13","15" ]
mode: "exclusive"
16개의 core를 모두 사용하는 경우 14개를 사용할 때 보다 Throughput이 향상되는 일부 case가 발생하였으나 큰 변동폭을 가진다. 또한 향상폭은 미미하였고 Throughput 향상에 비해 CPU 사용과 context_sw의 사용이 상당히 많이 증가함을 보인다.
오히려 시스템의 일부 core를 management로 사용하고 이와 동일하게 suricata.yaml의 affinity 또한 동일하게 맞춰주었을 때 안정적인 context_sw와 CPU 사용율, 우수한 Throughput을 달성함
'Engine' 카테고리의 다른 글
| HTTP2에서의 flowbits 한계 (0) | 2021.02.27 |
|---|---|
| Suricata 스트림 재조합 (stream raw reassembly) (0) | 2018.11.18 |
| Suricata 18,000 Rules Performance (0) | 2018.10.19 |
'Engine' Related Articles
more
Comments