[Oisf-users] high cpu loads running multiple suricata instances

Victor Julien victor at inliniac.net
Tue Jul 20 13:20:35 UTC 2010 

What made you decide to run multiple instances? Suricata is
multi-threaded so it will use all your cores with a single instance as
well. That should reduce the overhead of the "management" threads, most
importantly the flow manager.

Cheers,
victor

Aki Heikkinen wrote:
> Hi,
> 
> We're running 7 to 10 suricata 1.0 instances on old 2,7GHz quad 
> processor xeon server (with hyperthreading so OS sees 8 cores), used to 
> run snort_inline on same hardware (snort_inline instances attached to 
> different cores). Suricata instances suck up cpu cycles. I can 
> understand this for high traffic-volume instances which has hundreds of 
> UDP connections passing through but half of the instances are mainly 
> idling.
> 
> top - 15:45:14 up 76 days,  7:41,  4 users,  load average: 5.09, 5.40, 5.37
> Tasks: 135 total,   4 running, 131 sleeping,   0 stopped,   0 zombie
> Cpu(s):  8.5%us, 21.4%sy,  0.0%ni, 70.0%id,  0.0%wa,  0.0%hi,  0.0%si,  
> 0.0%st
> Mem:   3961684k total,  3712484k used,   249200k free,   245996k buffers
> Swap:  7815612k total,   282032k used,  7533580k free,   593384k cached
> 
> 
> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 
> 23732 suricata  20   0  369m 160m 1588 S   55  4.2  10368:21 suricata
> 23728 suricata  20   0  455m 228m 1484 S   53  5.9  10367:21 suricata
> 14068 suricata  20   0  378m 225m 1600 S   49  5.8  27:37.22 suricata
> 23734 suricata  20   0  832m 545m 1640 R   49 14.1  13311:46 suricata
> 23730 suricata  20   0  408m 237m 1540 S   48  6.1  10373:09 suricata
> 23726 suricata  20   0  477m 310m 1612 S   46  8.0  10383:05 suricata
> 23724 suricata  20   0  789m 589m 1620 S   44 15.2  11698:04 suricata
> 
> Any tips would be appreciated howto tune suricata to better use 
> resources on this hardware. Current config is pretty much suricatas 
> default with most ET signatures enabed.
> 
> Hopefully suricata manual will be out soon! :)
> 
> Yours,
> 
> Aki Heikkinen
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list