[Oisf-devel] Periodical pool performance problem with suricata

xbadou xbadou xbadou at gmail.com
Mon Aug 19 11:38:59 UTC 2013 

Hi,



I am running Suricata 1.4.5 with default suricata.yaml. In my test, I use
‘Microsoft Web Application Stress Tool ‘ to see the performance of it.

Hardware: CPU Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz   RAM: 12GB  System:
Debian 6.0

Rules: about 5000 snort rules.

Suricata is running in IPS mode with 4 NFQUEUE worker mode. Two NICs is
added to a bridge.



PC(Running WAS)--------Suricata(bridge)-----------PC(Web server IIS6.0)



Microsoft Web Application Stress Tool (WAS) can simulate a large number of
requests to Web server.



The result is that CPU is 100%, but the Flow Chart in the IIS’s machine is
as follows.

 [image: Inline image 1]



With every about 30s , the performance become poor.



At last, in my detailed test, I find change these value can influence the
result:



flow-timeouts:



  default:

    new: 30

    established: 300

    closed: 0

    emergency-new: 10

    emergency-established: 100

    emergency-closed: 0

  tcp:

    new: 60

    established: 3600

    closed: 120

    emergency-new: 10

    emergency-established: 300

    emergency-closed: 20

  udp:

    new: 30

    established: 300

    emergency-new: 10

    emergency-established: 100

  icmp:

    new: 30

    established: 300

    emergency-new: 10

    emergency-established: 100



 When I change 'closed' to a small value such as 10, the flow won't be poor
periodically. But it's poor all the time.

So, I want to know why change flow-timeouts-closed can cause these changes.
What is suricata doing when the flow is down?

And what can I do to avoid it. Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130819/36e8ab56/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.png
Type: image/png
Size: 166799 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130819/36e8ab56/attachment-0001.png>

More information about the Oisf-devel mailing list