<div dir="ltr"><div>As an experiment you may want to turn off the MD5 calculation. Its extremely compute intensive and believe it or not runs single threaded within the library where the calculations occur. I owe Victor a patch to avoid the single thread behavior. If this helps you out I'll look into making the match available.<br><br></div>Tom<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 21, 2015 at 9:05 AM, Miso Mijatovic <span dir="ltr"><<a href="mailto:mmijatovic@sorint.it" target="_blank">mmijatovic@sorint.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span class=""><br>
> Have you done any tuning of the suricata.yaml?<br>
<br>
</span>yes, in addition to<br>
<br>
stream.checksum_validation no<br>
<span class="">stream.reassembly.depth 0<br>
libhtp.default-config.request-body-limit 0<br>
libhtp.default-config.response-body-limit 0<br>
<br>
</span>i commented the part about eth0 in the afpacket section because it is not a traffic interface;<br>
i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);<br>
i increased the stream memcap from default 32mb to 128mb;<br>
i decreased the reassembly memcap from default 128mb to 64mb.<br>
<span class=""><br>
> What type of traffic and how much of it are you inspecting on what HW ?<br>
<br>
</span>I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.<br>
<br>
Regards,<br>
Miso Mijatovic<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
</div></div></blockquote></div><br></div>