[Oisf-users] Suricata 2.1beta3 vs 2.0.7
Yasha Zislin
coolyasha at hotmail.com
Fri May 1 13:05:10 UTC 2015
Correct.
I've also tried a slight different version of the config to add MODBUS functionality and change toserver to dp for the ports in application layer detection section of the config file. I've basically compared config that came with the beta version to make sure things are correct and I am no using depricated stuff. Either way, the same result.
It feels like something changed with memory. beta version is only using about 40% of RAM but 2.0.7 is using 96%. It could be the reason for the packet loss on beta.
Just thinking out loud.
Thanks.
> Date: Fri, 1 May 2015 12:10:40 +0200
> Subject: Re: [Oisf-users] Suricata 2.1beta3 vs 2.0.7
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: modversion at gmail.com; oisf-users at lists.openinfosecfoundation.org
>
> On Thu, Apr 30, 2015 at 5:13 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > I am inspecting two span ports. Each has about 15 million packets per
> > minute, mostly HTTP. Bandwidth is about 2 Gbps on each.
> >
> > I've noticed one new message on startup with beta version.
> > VLAN disabled, setting cluster type to CLUSTER_FLOW_5_TUPLE
> >
> > Not sure if this has any effect.
> >
> >
> > ________________________________
> > Date: Thu, 30 Apr 2015 23:10:09 +0800
> > Subject: Re: [Oisf-users] Suricata 2.1beta3 vs 2.0.7
> > From: modversion at gmail.com
> > To: coolyasha at hotmail.com
> > CC: oisf-users at lists.openinfosecfoundation.org
> >
> >
> > It seems that 2.0.7 work better than 2.1beta3.
> > What's the bandwidth you protect by suricata ? 10Gbps or 20Gbps ?
> >
> > 2015-04-30 23:00 GMT+08:00 Yasha Zislin <coolyasha at hotmail.com>:
> >
> > I have tweaked my configuration to have Suricata 2.0.7 run with minimal
> > packet loss less than 0.01%. This set up does use a ton of RAM 95% of 140GB.
> > As soon as I switch to Suricata 2.1beta3 and run it with the same config, I
> > get 50% packet loss but RAM utilization stays around 50%.
> >
> > What was changed to have such a big impact?
>
> Just to confirm - you are running the same Suricata config the only
> thing you have changed is suricata from 2.0.7 to 2.1beta3, correct?
> (nothing else)
>
> >
> > P.S. I am using PF_RING.
> >
> > Thanks.
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150501/9f5c0bce/attachment-0002.html>
More information about the Oisf-users
mailing list