[Oisf-users] high cpu loads running multiple suricata instances
Aki Heikkinen
aki.heikkinen at kuusisolutions.fi
Tue Jul 20 13:14:00 UTC 2010
Hi,
We're running 7 to 10 suricata 1.0 instances on old 2,7GHz quad
processor xeon server (with hyperthreading so OS sees 8 cores), used to
run snort_inline on same hardware (snort_inline instances attached to
different cores). Suricata instances suck up cpu cycles. I can
understand this for high traffic-volume instances which has hundreds of
UDP connections passing through but half of the instances are mainly
idling.
top - 15:45:14 up 76 days, 7:41, 4 users, load average: 5.09, 5.40, 5.37
Tasks: 135 total, 4 running, 131 sleeping, 0 stopped, 0 zombie
Cpu(s): 8.5%us, 21.4%sy, 0.0%ni, 70.0%id, 0.0%wa, 0.0%hi, 0.0%si,
0.0%st
Mem: 3961684k total, 3712484k used, 249200k free, 245996k buffers
Swap: 7815612k total, 282032k used, 7533580k free, 593384k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23732 suricata 20 0 369m 160m 1588 S 55 4.2 10368:21 suricata
23728 suricata 20 0 455m 228m 1484 S 53 5.9 10367:21 suricata
14068 suricata 20 0 378m 225m 1600 S 49 5.8 27:37.22 suricata
23734 suricata 20 0 832m 545m 1640 R 49 14.1 13311:46 suricata
23730 suricata 20 0 408m 237m 1540 S 48 6.1 10373:09 suricata
23726 suricata 20 0 477m 310m 1612 S 46 8.0 10383:05 suricata
23724 suricata 20 0 789m 589m 1620 S 44 15.2 11698:04 suricata
Any tips would be appreciated howto tune suricata to better use
resources on this hardware. Current config is pretty much suricatas
default with most ET signatures enabed.
Hopefully suricata manual will be out soon! :)
Yours,
Aki Heikkinen
More information about the Oisf-users
mailing list