
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<meta content="text/html; charset=utf-8">

</head>

<body dir="auto">

<div>3.10 kernel. We are in process of moving to 4.x but not yet. </div>

<div><br>

</div>

<div>I don't think this is the problem because it works without the new configs. I was just hoping to get the speed up improvements as it normally takes a long time (5+ mins) to start up. <br>

<br>

<div class="acompli_signature">Sent from <a href="https://aka.ms/qtex0l">Outlook Mobile</a></div>

<br>

</div>

<br>

<br>

<br>

<div class="gmail_quote">On Tue, Mar 1, 2016 at 3:36 AM -0800, "Michał Purzyński"

<span dir="ltr"><<a href="mailto:michalpurzynski1@gmail.com" target="_blank">michalpurzynski1@gmail.com</a>></span> wrote:<br>

<br>

</div>

<div>

<div></div>

<div>Just a thought - do you have something like smokeping in your network?</div>

<div><br>

</div>

<div>A CPU or two pegged while everything else is almost idle, with a high drop count could be either an elephant flow or this:</div>

<div><br>

</div>

<div><a href="https://github.com/inliniac/suricata/commit/0a22ba7e23deef9ab432d048828169f663dd247b">https://github.com/inliniac/suricata/commit/0a22ba7e23deef9ab432d048828169f663dd247b</a></div>

<div><br>

</div>

<div>Elephant flow means something like a data copy between a pair of hosts, over a single pair of ports, at a high speed. It would land on a single CPU, saturating it.</div>

<div><br>

</div>

<div>Also, which kernel version do you use?</div>

<div><br>

On 01 Mar 2016, at 07:47, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br>

<br>

</div>

<blockquote type="cite">

<div><span>On Mon, Feb 29, 2016 at 10:37 PM, Barkley, Joey</span><br>

<span><<a href="mailto:Joey.Barkley@ingramcontent.com">Joey.Barkley@ingramcontent.com</a>> wrote:</span><br>

<blockquote type="cite"><span>All,</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>I've done some tweaking to my test instance but can't seem to get it running</span><br>

</blockquote>

<blockquote type="cite"><span>properly. Here is what I did:</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>1) Took the dev-detect-grouping-v174 branch and merged master (as of this</span><br>

</blockquote>

<blockquote type="cite"><span>morning, 2016-02-29) into it.</span><br>

</blockquote>

<span></span><br>

<span>I would suggest do it step by step - in order to avoid excessive</span><br>

<span>troubleshooting if needed.</span><br>

<span>So start with just the dev-detect-grouping-v174 branch - but if you</span><br>

<span>start with that I would recommend the latest branch -</span><br>

<span>dev-detect-grouping-v178 branch -</span><br>

<span><a href="https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178">https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178</a></span><br>

<span></span><br>

<span></span><br>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>2) Built Suricata and used my normal config file, but made the required</span><br>

</blockquote>

<blockquote type="cite"><span>changes in the "detect" section.</span><br>

</blockquote>

<span></span><br>

<span>What changes are those exactly? Can you share that section of the suricata.yaml?</span><br>

<span></span><br>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>   a. I tried the default (profile medium, toclient 3, toserver 25) but</span><br>

</blockquote>

<blockquote type="cite"><span>then also changed to 30 and 250 just to test. Same results with both.</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<span></span><br>

<span>How many rules do you load?(or are you trying with no rules as a test)</span><br>

<span></span><br>

<blockquote type="cite"><span>3) I have 8 threads set, and I have management cpu set to 0,2 and detect cpu</span><br>

</blockquote>

<blockquote type="cite"><span>set to 4-14 (even number cores).</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>4) management cpu set is exclusive and high, so is detect cpu set</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>Suricata starts up very quickly (few seconds) and consumes very little RAM.</span><br>

</blockquote>

<blockquote type="cite"><span>However, I get cpu 0 with a very small use %, and cpu's 4 & 14 pegged at</span><br>

</blockquote>

<blockquote type="cite"><span>100%. kernel_drops are extremely high (compared to my working config).</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<span></span><br>

<span>This is - cpu's 4 and 14 are only pegged - not 4 through 14 (even</span><br>

<span>numbers only), is that correct?</span><br>

<span></span><br>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>I know I've got a lot of variables in this setup, but does anyone see</span><br>

</blockquote>

<blockquote type="cite"><span>anything obviously wrong with how I've set things up? Should I stop</span><br>

</blockquote>

<blockquote type="cite"><span>separating out the management CPU set and just run them on the CPUs that the</span><br>

</blockquote>

<blockquote type="cite"><span>detect threads run on?</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>Thanks,</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>Joey Barkley</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>_______________________________________________</span><br>

</blockquote>

<blockquote type="cite"><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">

oisf-users@openinfosecfoundation.org</a></span><br>

</blockquote>

<blockquote type="cite"><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support:

<a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br>

</blockquote>

<blockquote type="cite"><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">

https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br>

</blockquote>

<blockquote type="cite"><span>Suricata User Conference November 9-11 in Washington, DC:</span><br>

</blockquote>

<blockquote type="cite"><span><a href="http://oisfevents.net">http://oisfevents.net</a></span><br>

</blockquote>

<span></span><br>

<span></span><br>

<span></span><br>

<span>-- </span><br>

<span>Regards,</span><br>

<span>Peter Manev</span><br>

<span>_______________________________________________</span><br>

<span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">

oisf-users@openinfosecfoundation.org</a></span><br>

<span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support:

<a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br>

<span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">

https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br>

<span>Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net">

http://oisfevents.net</a></span></div>

</blockquote>

</div>

</body>

</html>