Hi all, In the following days, I want to replace some linux systems that acts as IDS/IPS nodes with OpenBSD 6.1 (congratulations to all OpenBSD's team. IMO, the best OpenBSD that I have used).
These OpenBSD nodes will be installed with Suricata, Bro and Snort components. In the Linux and FreeBSD world, when you try to monitor 1GB/10GB networks (which is my case), some kernel variables needs to be tweaked. An example for linux systems some options are: net.core.rmem_max net.core.wmem_max net.core.rmem_default net.core.wmem_default net.core.optmem_max net.ipv4.tcp_rmem net.ipv4.tcp_wmem net.ipv4.udp_mem In the OpenBSD's old days, you can tweak some options like send and receive network buffers, etc. But in most recent OpenBSD releases, most of these options are not available, from what I understand, that is already made some sort of "tunning" by default in GENERIC kernel. But I see some kernel options that could need to be modified to use IDS/IPS software. Some of them: kern.somaxconn net.inet.udp.recvspace net.inet.udp.sendspace net.bpf.maxbufsize (I am not sure about this option) .... On the other side, I don't want to break anything in this first stage :) ... I prefer to do some type of control first and after apply these changes. Any recommendation? Many thanks. -- Greetings, C. L. Martinez
