Closed dougburks closed 8 years ago
Yes:
Choosing "Production Mode" and then "Best Practices" should result in automatically configuring PF_RING instances based on number of CPU cores.
Choosing "Production Mode" and then "Custom" should allow the user to set their own number of PF_RING instances. Although it might be nice to suggest a number to the user.
Submitted for testing: https://groups.google.com/d/topic/security-onion-testing/MLmpJoGgekU/discussion
Hi Guys Just installed the new version of Security Onion and set up with custom, but it didn’t ask me how many cores for Snort or Bro I would like to use. Is this what should happen?
If you choose "Best Practices", then Security Onion will configure this based on the number of available CPU cores. Otherwise, "Custom" should recommend the number of cores to be used.
Thanks, Wes On Apr 5, 2016 10:17 PM, "Lee232" notifications@github.com wrote:
Hi Guys Just installed the new version of Security Onion and set up with custom, but it didn’t ask me how many cores for Snort or Bro I would like to use. Is this what should happen?
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/Security-Onion-Solutions/security-onion/issues/735#issuecomment-206082309
Yep, I know this. The new version 14.04.4.1 didn’t ask me how many cores. My question was should this be the case during the custom install is there something up.
If you are sure you experienced this, could you please post the exact steps/configuration options that led you to this?
Thanks, Wes On Apr 5, 2016 10:22 PM, "Wes Lambert" wlambertts@gmail.com wrote:
If you choose "Best Practices", then Security Onion will configure this based on the number of available CPU cores. Otherwise, "Custom" should recommend the number of cores to be used.
Thanks, Wes On Apr 5, 2016 10:17 PM, "Lee232" notifications@github.com wrote:
Hi Guys Just installed the new version of Security Onion and set up with custom, but it didn’t ask me how many cores for Snort or Bro I would like to use. Is this what should happen?
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/Security-Onion-Solutions/security-onion/issues/735#issuecomment-206082309
Yes I am sure of this. I have just gone through it again. I simply went through the setup and enabled IDS and Bro and had nothing about how many cores I want to use. The previous version asked me to choose.
Did setup successfully complete? Were you installing a sensor or a standalone? Did you install using the ISO or the PPA?
Also, please continue this discussion by posting your question here: https://groups.google.com/forum/#!forum/security-onion
Thanks, Wes
I forgot, if you have 4 cores or fewer, configuration will happen like this (to avoid overworking the box):
-1 core reserved for netsniff-ng for each configured sniffing interface -1 core reserved for OS
Remaining cores will be split up for IDS/Bro: -1 core for IDS -1 core for Bro
For a machine with 8 cores, Custom configuration should configure the machine as follows: -1 core reserved for netsniff-ng for each configured sniffing interface -1 core reserved for OS
Remaining number of cores available for use with IDS/BRO: If you have one sniffing interface, then it would be allowed to be configured as follows: -3 cores available for IDS--Will provide recommendation, and allow you to choose # of cores (up to 3). -3 cores available for Bro -Will provide recommendation, and allow you to choose # of cores (up to 3).
If you have 2 sniffing interfaces, for an 8 core box you would get the following:
-1 core reserved for netsniff-ng for each configured sniffing interface (2) -1 core reserved for OS
Remaining number of cores split for use between IDS/BRO:
-2 cores available for IDS - Will provide recommendation, and allow you to choose # of cores (up to 2). -2 cores available for Bro - Will provide recommendation, and allow you to choose # of cores (up to 2).
I hope this sheds some light on why the setup acts the way it does.
I'm assuming you're experiencing this behavior because your machine is using 4 or fewer CPU cores.
Thanks, Wes
Hi Wes Yes it has 4 cores. Cool so that is what is going on. So I went back to version 14.04.3.1 and I was able to select the cores. Thanks for the info. Rgds Lee
You can always modify this after Setup: https://github.com/Security-Onion-Solutions/security-onion/wiki/PF_RING
If you have further questions or problems, please use our mailing list: https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists
Thanks!
Should this be done for Best Practices? Also, for Advanced Setup (Custom), should this be an option (whether or not to configure based on the number of cores)? I would think that the Custom mode/option should allow for more configuration options rather than automatically configuring the number of PR_RING instances--I would think this would be reserved for cases where individuals being introduced to Security Onion may not necessarily be privy to why they would need to configure a greater number of PR_RING instances, but would benefit from the automatic optimization.
Thanks, Wes