Increasing the number of Suricata and Zeek instances #1924

chadlangston · 2020-11-16T04:22:28Z

chadlangston
Nov 16, 2020

Hi All,

Does anyone know how I can increase the number of Suricata and Zeek instances running on my Standalone Security Onion 2.3? I used the defaults (1 instance) during set up and Grafana is showing a lot of PCAP packet loss (about 50%), but my CPU usage is quite low. The docs make it sound like increasing the Suricata instances will help lower the PCAP packet loss. Does this sound right to anyone?

Thank you!
Chad

Answered by polivia

Nov 16, 2020

Edit your minion's sls file:
/opt/so/saltstack/local/pillar/minions/so-sensor01_sensor.sls

Updated these:
zeek_lbprocs
suriprocs

View full answer

polivia · 2020-11-16T13:51:32Z

polivia
Nov 16, 2020

Edit your minion's sls file:
/opt/so/saltstack/local/pillar/minions/so-sensor01_sensor.sls

Updated these:
zeek_lbprocs
suriprocs

1 reply

chadlangston Nov 16, 2020
Author

Thank you polivia!

polivia · 2020-11-16T13:53:25Z

polivia
Nov 16, 2020

Restart services:
sudo salt 'so_sensor*' cmd.run 'so-zeek-restart'
sudo salt 'so_sensor*' cmd.run 'so-suricata-restart'

0 replies

dougburks · 2020-11-16T14:16:03Z

dougburks
Nov 16, 2020
Maintainer

If Grafana is showing Suricata packet loss, then you would want to tune Suricata. If Grafana is showing Zeek packet loss, then you would want to tune Zeek. If Grafana is showing PCAP packet loss, then that doesn't necessarily mean that you need to tune Zeek or Suricata, as those processes are totally independent of the Stenographer process that performs full packet capture:
https://docs.securityonion.net/en/2.3/stenographer.html

You might want to start with filtering out traffic that you don't want Stenographer to write to disk:
https://docs.securityonion.net/en/2.3/bpf.html#simple-example

3 replies

chadlangston Nov 16, 2020
Author

Thank you Doug! Yes, it is PCAP packet loss that I was referring to. I'll check it out :)

chadlangston Nov 17, 2020
Author

Doug, rebooting Security Onion brought the PCAP packet loss back to 0%. Thinking back, I did a big time machine backup over my network recently, 650GB. Is there some reason that a large amount of throughput could potentially cause the stenographer processes and the sensors (one is on board, the other is USB) to continue with packet loss, even after the large data throughput event has completed?

dougburks Nov 17, 2020
Maintainer

I would expect that if a large network transfer caused Stenographer to drop packets, then that would show in Grafana as a temporary spike.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Increasing the number of Suricata and Zeek instances #1924

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Increasing the number of Suricata and Zeek instances #1924

Uh oh!

chadlangston Nov 16, 2020

Replies: 3 comments · 4 replies

Uh oh!

polivia Nov 16, 2020

Uh oh!

chadlangston Nov 16, 2020 Author

Uh oh!

polivia Nov 16, 2020

Uh oh!

dougburks Nov 16, 2020 Maintainer

Uh oh!

chadlangston Nov 16, 2020 Author

Uh oh!

chadlangston Nov 17, 2020 Author

Uh oh!

dougburks Nov 17, 2020 Maintainer

chadlangston
Nov 16, 2020

Replies: 3 comments 4 replies

polivia
Nov 16, 2020

chadlangston Nov 16, 2020
Author

polivia
Nov 16, 2020

dougburks
Nov 16, 2020
Maintainer

chadlangston Nov 16, 2020
Author

chadlangston Nov 17, 2020
Author

dougburks Nov 17, 2020
Maintainer