Performance issue - Githubissues

jasonish / docker-suricata

A Suricata Docker image.

https://hub.docker.com/r/jasonish/suricata/

MIT License

250 stars 76 forks source link

Performance issue #20

Closed jplopezy closed 2 years ago

jplopezy commented 2 years ago

My problem is that when I run docker it freezes my EC2 instance, the instance has 2 cores and is mirroring traffic from VPC.

I don't know what can happen, I just run this line:

docker run --rm --net = host \ --cap-add = net_admin --cap-add = sys_nice \ -v $ (pwd) / logs: / var / log / suricata \ jasonish / meerkat: latest -i eth0

Is it mandatory to create the volumes? Maybe that creates the problem ...

LOG :

root@ip-172-31-3-122:~#
root@ip-172-31-3-122:~# docker run --rm  --net=host \
>     --cap-add=net_admin --cap-add=sys_nice \
>     -v $(pwd)/logs:/var/log/suricata \
> jasonish/suricata:latest -i eth0
Checking for capability sys_nice: yes
Checking for capability net_admin: yes
13/10/2021 -- 00:01:34 - <Notice> - This is Suricata version 6.0.3 RELEASE running in SYSTEM mode

help me!

jasonish commented 2 years ago

You don't have to use the volume, but you probably want to so you can get see what Suricata is logging. I'm not that familiar with EC2, VPCs, and all that. Is the storage where the volume is actual physical storage on that VM? Or some network mounted storage.

How much memory does the machine have?

jplopezy commented 2 years ago

@jasonish Thanks for answering, it is a virtual machine, I think it has 2 GB

A quick question, what is the default configuration of HOME_NET? I think maybe that's where the topic comes from

jasonish commented 2 years ago

@jasonish Thanks for answering, it is a virtual machine, I think it has 2 GB

A quick question, what is the default configuration of HOME_NET? I think maybe that's where the topic comes from

The default home net is:

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

jplopezy commented 2 years ago

You were right. The problem was the memory with 4 GB works fine.

last question, do you save the rules locally or inside the docker?

Greetings and a thousand thanks for your contribution to the community!

jasonish commented 2 years ago

You were right. The problem was the memory with 4 GB works fine.

I've had no issues running on a 2gb Linode instance, but the traffic is very light, so that could be why you need 4gb.

last question, do you save the rules locally or inside the docker?

This is up to you really. /var/lib/suricata is exposed as a volume, so you can either bind-mount it or use a named volume. I suggest using one or the other to save your rule updates outside the container. I still haven't worked out the best user story for externaling stuff like rules and configuration outside of the container, but /etc/suricata is also exposed as a volume to make custom configuration easier.

Greetings and a thousand thanks for your contribution to the community!

Thanks.