<div dir="ltr"><p class="">Hi,<br></p>

<p class=""><span lang="EN-US"> </span></p>

<p class=""><span lang="EN-US">I am running Suricata 1.4.5
with default suricata.yaml. In my test, I use ‘Microsoft Web Application
Stress Tool ‘ to see the performance of it.</span></p>

<p class=""><span lang="EN-US">Hardware: CPU Intel(R) Core(TM) i3-2120 CPU
@ 3.30GHz   RAM: 12GB  System: Debian 6.0</span></p>

<p class=""><span lang="EN-US">Rules: about 5000 snort rules.</span></p>

<p class=""><span lang="EN-US">Suricata is running in IPS mode with 4 NFQUEUE worker mode. Two NICs is added to a bridge. </span></p>

<p class=""><span lang="EN-US"> </span></p>

<p class=""><span lang="EN-US">PC(Running WAS)--------Suricata(bridge)-----------PC(Web
server IIS6.0)</span></p>

<p class=""><span lang="EN-US"> </span></p>

<p class=""><span lang="EN-US">Microsoft Web Application Stress Tool (WAS)
can simulate a large number of requests to Web server.</span></p>

<p class=""><span lang="EN-US"> </span></p>

<p class=""><span lang="EN-US">The result is that CPU is 100%, but the Flow
Chart in the IIS’s machine is as follows.</span></p>

<p class=""><span lang="EN-US"> <img src="cid:ii_14096586a1d59b69" alt="Inline image 1" width="567" height="379"></span></p>

<p class=""><span lang="EN-US"> </span></p>

<p class="" style>With every about 30s , the performance become poor.</p><p class="" style> </p><p class=""><span lang="EN-US">At last, in my detailed test, I find change these
value can influence the result:</span></p>

<p class=""><span lang="EN-US"> </span></p>

<p class="" align="left" style="margin:0cm 10pt 5pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">flow-timeouts:</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue"> </span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">  default:</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    new: 30</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    established: 300</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    closed: 0</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-new: 10</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-established: 100</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-closed: 0</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">  tcp:</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    new: 60</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    established: 3600</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    </span><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:red">closed: 120</span></p>


<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-new: 10</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-established: 300</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-closed: 20</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">  udp:</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    new: 30</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    established: 300</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-new: 10</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-established: 100</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">  icmp:</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    new: 30</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    established: 300</span></p>

<p class="" align="left" style="margin:5pt 10pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">    emergency-new: 10</span></p>

<p class="" align="left" style="margin:5pt 10pt 0.0001pt;text-align:left"><span lang="EN-US" style="font-size:12pt;font-family:宋体;color:blue">   
emergency-established: 100</span></p>

<p class=""><span lang="EN-US"> </span></p>

<p class="" style><span lang="EN-US"> When I change 'closed' to a small value such as 10, the flow won't be poor periodically. But it's poor all the time.</span></p>

<p class=""><span lang="EN-US">So, I want to know why change flow-timeouts-closed
can cause these changes. What is suricata doing when the flow is down? </span></p><p class=""><span lang="EN-US">And what
can I do to avoid it. Thanks</span></p>

<p class=""><span lang="EN-US"> </span></p>

<p class=""><span lang="EN-US"> </span></p></div>