[Oisf-devel] Performance Boosts
Brant Wells
bwells at tfc.edu
Fri Mar 23 15:05:09 UTC 2012
I got a 50mbit fiber line (50 up and 50 down) that is usually just running
around 40mbit down. My box is currently on a Mirror port (SPAN port for
the cisco guys out there).
Other pertinent info, I am also running OpenFPC on this box as well for
network capture to (a second) disk. Could that be affecting Suricata (ie:
Should I start Suricata first, and then start the network capture, or does
it matter?
I just got Suri fired back up again, so I'll see what happens...
One final thought... I did an upgrade on my Firewall last night... It
now has a better ability to block P2P traffic and such... If the firewall
is blocking the P2P, that means suricata isn't having to process quite as
large of a volume of packets... Could that be where all of my CPU usage
went?
Thanks!
~Brant
On Fri, Mar 23, 2012 at 4:38 AM, Peter Manev <petermanev at gmail.com> wrote:
>
>
> On Fri, Mar 23, 2012 at 8:56 AM, Victor Julien <victor at inliniac.net>wrote:
>
>> On 03/23/2012 05:46 AM, Brant Wells wrote:
>> > Hi All,
>> >
>> > I just wanted to report in... The latest GIT version that I am running
>> > (Suricata 1.3dev (rev 22349f8)) has given me some very notable
>> improvements!
>> >
>> > I almost wondered if Suricata had crashed a few minutes ago, because my
>> > web interface to BASE was lighting fast!
>> >
>> > Anyhow, I did some checking and suricata is now running steady between
>> > ~30% and 75% CPU usage... and roughtly 11% of my system memory (Quad
>> > core / 4GB box)... Before it was running at 99% Cpu usage and consuming
>> > 60% of the boxes RAM.
>>
>> That memory things has me somewhat worried. We did do some optimization,
>> but nothing should result in a factor 6 reduction I think.
>>
>> What was the Suricata version you used before this?
>>
>> > I went to check my stats.log and noticed that it was at the 2gb file
>> > limit, lol, so i don't have any hard numbers right now. I will restart
>> > it tomorrow and get some...
>> >
>> > I am using the suricata.yaml that comes with the source, and have only
>> > modified the IP Addresses to match my network, all other settings have
>> > been left at default...
>>
>> We did change the default runmode from auto to autofp, which should
>> scale much better:
>> http://www.inliniac.net/blog/2012/03/23/suricata-runmode-changes.html
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
>
>
>
> Hi Brant,
>
> how much traffic do you inspect?
>
> thanks
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120323/1aad077b/attachment-0002.html>
More information about the Oisf-devel
mailing list