[Oisf-devel] 77b708=WIN?
Victor Julien
victor at inliniac.net
Mon Sep 26 18:28:15 UTC 2011
On 09/26/2011 08:16 PM, Martin Holste wrote:
> I continued to have segfaults with recent versions, so I tried today's
> HEAD commit of 77b7089f796f3ee5e984b35a780c2f1cf9f85209. The jury is
> still out on segfaults (it's only been running for a little over an
> hour), but something amazing has occurred: For the first time ever,
> an IDS has successfully not dropped a single heartbeat during our noon
> peak traffic time period! Granted I'm running our "light" ruleset of
> only about 4k rules, but we usually experience packet loss 10-30% with
> the same ruleset. I've never seen a perfect score for over an hour!
> So, I'm not sure what you tweaked in the last few days for this
> commit, but it has a massive performance improvement when running
> with:
>
> max-pending-packets: 5000
> runmode: autofp
> - sgh-mpm-context: full
> mpm-algo: ac
How much ram does this take?
> 8 PF_RING threads (PF_RING 5.0.1)
>
> For reference, prior Suricata's were dropping about 30%, and 16 Snorts
> all load-balanced with PF_RING were in the 10-25% drop range during
> peak traffic. At peak, we see about 3500 HTTP requests/sec. If you
> can't think of any code changes that would've occurred since September
> 21 that would cause this, then it had to be one of my config tweaks,
> so please let me know.
You're running the git master which was last updated the 21st, so we
won't have later code that can be of influence.
Prior to it we had a few fixes and simplifications:
- pcre update that in very limited testing seemed to speed my tests up
by about 7%
- http transaction tracking that was simpler and improved accuracy
- a segv condition that really shouldn't affect you
The flow manager changes may affect you as well. They make sure flows
get timed out more aggressively if they are due for timing out.
Maybe that all has it's influence. Hard to pinpoint anything though...
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list