[Oisf-users] high cpu loads running multiple suricata instances

Brant Wells bwells at tfc.edu
Tue Jul 20 13:29:38 UTC 2010 

Aki,

Are you monitoring one network interface per Suricata instance?

It seems like an old security appliance that my company used had a single
instance of snort running for each interface on the box.

~Brant

On Tue, Jul 20, 2010 at 9:14 AM, Aki Heikkinen <
aki.heikkinen at kuusisolutions.fi> wrote:

> Hi,
>
> We're running 7 to 10 suricata 1.0 instances on old 2,7GHz quad
> processor xeon server (with hyperthreading so OS sees 8 cores), used to
> run snort_inline on same hardware (snort_inline instances attached to
> different cores). Suricata instances suck up cpu cycles. I can
> understand this for high traffic-volume instances which has hundreds of
> UDP connections passing through but half of the instances are mainly
> idling.
>
> top - 15:45:14 up 76 days,  7:41,  4 users,  load average: 5.09, 5.40, 5.37
> Tasks: 135 total,   4 running, 131 sleeping,   0 stopped,   0 zombie
> Cpu(s):  8.5%us, 21.4%sy,  0.0%ni, 70.0%id,  0.0%wa,  0.0%hi,  0.0%si,
> 0.0%st
> Mem:   3961684k total,  3712484k used,   249200k free,   245996k buffers
> Swap:  7815612k total,   282032k used,  7533580k free,   593384k cached
>
>
> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>
> 23732 suricata  20   0  369m 160m 1588 S   55  4.2  10368:21 suricata
> 23728 suricata  20   0  455m 228m 1484 S   53  5.9  10367:21 suricata
> 14068 suricata  20   0  378m 225m 1600 S   49  5.8  27:37.22 suricata
> 23734 suricata  20   0  832m 545m 1640 R   49 14.1  13311:46 suricata
> 23730 suricata  20   0  408m 237m 1540 S   48  6.1  10373:09 suricata
> 23726 suricata  20   0  477m 310m 1612 S   46  8.0  10383:05 suricata
> 23724 suricata  20   0  789m 589m 1620 S   44 15.2  11698:04 suricata
>
> Any tips would be appreciated howto tune suricata to better use
> resources on this hardware. Current config is pretty much suricatas
> default with most ET signatures enabed.
>
> Hopefully suricata manual will be out soon! :)
>
> Yours,
>
> Aki Heikkinen
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100720/83f9b3ce/attachment-0002.html>

More information about the Oisf-users mailing list