Suricata and Grafana performance changes

[dougburks]

Per https://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html, we should set defaults and allow tuning for high performance.

In suricata.yaml, we should increase the default max-pending-packets value to at least what we set in current platform, which is 5000 and allow it to be tuned.

We should probably enable the following under af-packet:

    #use-mmap: yes
    #tpacket-v3: yes

We should expose the following so the user can increase when necessary:

    #ring-size: 2048

Grafana should display additional stats from Suricata's stats.log so that we can tell if any memcap limitations are being reached and need to be tuned. It would be nice if Grafana could show the value from suricata.yaml and compare that to the actual usage in stats.log.

[TOoSmOotH]

Suricata config items are complete. Just need grafana

[dougburks]

Looks like tpacket-v3 is still commented out:

https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/dev/salt/suricata/files/suricata.yaml#L628

https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/dev/salt/suricata/files/suricataMETA.yaml#L628

Is that intentional?

UPDATE: Mike pointed out that tpacket-v3 is enabled here: https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/feature/suripillar/salt/suricata/files/defaults.yaml#L767

[TOoSmOotH]

We need to pull the metrics out and send them to telegraf and create additional graphs. Graph memuse. Max the graph at the current memcap.