[Oisf-devel] Periodical pool performance problem with suricata

Eric Leblond eric at regit.org
Tue Sep 3 19:21:36 UTC 2013 

Hello,

Le lundi 19 août 2013 à 19:38 +0800, xbadou xbadou a écrit :
> Hi,
> I am running Suricata 1.4.5 with default suricata.yaml. In my test, I
> use ‘Microsoft Web Application Stress Tool ‘ to see the performance of
> it.
> 
> Hardware: CPU Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz   RAM: 12GB
> System: Debian 6.0
> 
> Rules: about 5000 snort rules.
> 
> Suricata is running in IPS mode with 4 NFQUEUE worker mode. Two NICs
> is added to a bridge. 
> 
>  
> 
> PC(Running WAS)--------Suricata(bridge)-----------PC(Web server
> IIS6.0)
> 
>  
> 
> Microsoft Web Application Stress Tool (WAS) can simulate a large
> number of requests to Web server.
> 
>  
> 
> The result is that CPU is 100%, but the Flow Chart in the IIS’s
> machine is as follows.
> 
>  Inline image 1
> 
>  
> 
> With every about 30s , the performance become poor.
> 
>  
> 
> At last, in my detailed test, I find change these value can influence
> the result:
> 
>  
> 
> flow-timeouts:
> 
>  
> 
>   default:
> 
>     new: 30
> 
>     established: 300
> 
>     closed: 0
> 
>     emergency-new: 10
> 
>     emergency-established: 100
> 
>     emergency-closed: 0
> 
>   tcp:
> 
>     new: 60
> 
>     established: 3600
> 
>     closed: 120
> 
>     emergency-new: 10
> 
>     emergency-established: 300
> 
>     emergency-closed: 20
> 
>   udp:
> 
>     new: 30
> 
>     established: 300
> 
>     emergency-new: 10
> 
>     emergency-established: 100
> 
>   icmp:
> 
>     new: 30
> 
>     established: 300
> 
>     emergency-new: 10
> 
>     emergency-established: 100
> 
>  
> 
>  When I change 'closed' to a small value such as 10, the flow won't be
> poor periodically. But it's poor all the time.
> 
> So, I want to know why change flow-timeouts-closed can cause these
> changes. What is suricata doing when the flow is down? 
> 
> And what can I do to avoid it. Thanks

Can you make activate stats.log, make a run and share the resulting
stats.log ? With that, we should be able to see what resources went
wrong during the run.

BR,
--
Eric
>  
> 
>  
> 
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130903/22b529ae/attachment.pgp>

More information about the Oisf-devel mailing list