[Oisf-users] Suricata Performance

Brant Wells bwells at tfc.edu
Tue Jan 19 20:39:23 UTC 2010

The bandwidth / packet rate, packet size, etc.  I can answer.  We usually run ~20-25mbit total throughput consisting of roughly 2500 - 3000 packets per second.  

Traffic type includes general web surfing (our two biggest hogs are Facbook and Youtube, but we also have NetFlix), ftp, our servers hosting web pages, SSH, Skype, and I'm sure there's stuff I'm missing.  We block P2P both with Snort and our firewall, but that doesn't mean there's not some students who have figured out ways around it.

The only time I see  the CPU usage as a real issue is when the CPU usage is causing the system to slow internet traffic down.  Case in point:  When I run Suricata with all the snort rules loaded, et al, the CPU usage is ~110 - 120% plus some spikes.  The internet as a whole doesn't slow down (games like WoW don't lag or anything).

When I'm testing stuff for Breno, the same thing happens, only I get extreme lag in games like WoW than just running the vanilla Suricata.  (I know Breno is just testing some code, so it's not really a concern for me now, but a valid point).

How can I see how many packets are being dropped by Suricata (and when you say drop, I assume you are not talking about my DROP rules, but drops due to CPU or NIC buffers or something) --  and how can I see where they are being dropped at?

I don't know how you guys have the threading setup (Multi-threading is beyond my coding ability due to lack of good examples (and practice!) in Gambas for Linux or VB6 for Windows)... but it would be nice if you could dedicate a thread for debugging messages or something, and have that output to a separate file than the rest of the logs.

See Yas!

-----Original Message-----
From: Edward Bjarte Fjellskål [mailto:edward.fjellskal at redpill-linpro.com] 
Sent: Tuesday, January 19, 2010 2:38 PM
To: Frank Knobbe
Cc: Brant Wells; oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata Performance

> When I look at IDS performance, I always look at CPU utilization, memory
> utilization, and dropped packets at the same time.

I would add bandwidth, packet rate, packet size and type of traffic
into the mix also.


More information about the Oisf-users mailing list