[Oisf-users] high cpu loads running multiple suricata instances
Aki Heikkinen
aki.heikkinen at kuusisolutions.fi
Tue Jul 20 22:33:32 UTC 2010
I'll try to combine a bit longer answer to many questions my email
brought up:
Suricata is running inline as IPS, on a multirouting linux
firewall/router which has many internal networks behind it (vlans over
trunked gigabit connections to core switches, WANs directly connected to
two separate dual fast ethernet cards). Mainly just cleaning up LANs <->
WANs, open WLAN <-> WANs and WANs <-> DMZs traffic, also some internal
traffic is screened. Iow, very different configs, hard to see how this
could be achieved with single suricata running.
Setup was originally made for multiple snort_inline instances, and
suricata is now running as a drop-in-replacement until can make some
time for larger system revamp (maybe next summer). Suricata instances
are not tied to cores and are taxing CPUs heavily which is not ideal,
but end-user experience is better - pages from internet and DMZs load
quicker. Internal non-nfqueued traffic is flowing without hickups,
kernel scheduler should give precedence over userspace applications anyway.
I realize it's not intended way to use suricata but it sure works. Could
tune it though as the basic setup seems solid.
Still at loss why idle instances (not a single packet through nfqueue)
eat up CPU cycles so viciously.
Yours,
Aki
On 07/20/2010 04:20 PM, Victor Julien wrote:
> What made you decide to run multiple instances? Suricata is
> multi-threaded so it will use all your cores with a single instance as
> well. That should reduce the overhead of the "management" threads, most
> importantly the flow manager.
>
> Cheers,
> victor
>
> Aki Heikkinen wrote:
>
>> Hi,
>>
>> We're running 7 to 10 suricata 1.0 instances on old 2,7GHz quad
>> processor xeon server (with hyperthreading so OS sees 8 cores), used to
>> run snort_inline on same hardware (snort_inline instances attached to
>> different cores). Suricata instances suck up cpu cycles. I can
>> understand this for high traffic-volume instances which has hundreds of
>> UDP connections passing through but half of the instances are mainly
>> idling.
>>
>> top - 15:45:14 up 76 days, 7:41, 4 users, load average: 5.09, 5.40, 5.37
>> Tasks: 135 total, 4 running, 131 sleeping, 0 stopped, 0 zombie
>> Cpu(s): 8.5%us, 21.4%sy, 0.0%ni, 70.0%id, 0.0%wa, 0.0%hi, 0.0%si,
>> 0.0%st
>> Mem: 3961684k total, 3712484k used, 249200k free, 245996k buffers
>> Swap: 7815612k total, 282032k used, 7533580k free, 593384k cached
>>
>>
>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
>>
>> 23732 suricata 20 0 369m 160m 1588 S 55 4.2 10368:21 suricata
>> 23728 suricata 20 0 455m 228m 1484 S 53 5.9 10367:21 suricata
>> 14068 suricata 20 0 378m 225m 1600 S 49 5.8 27:37.22 suricata
>> 23734 suricata 20 0 832m 545m 1640 R 49 14.1 13311:46 suricata
>> 23730 suricata 20 0 408m 237m 1540 S 48 6.1 10373:09 suricata
>> 23726 suricata 20 0 477m 310m 1612 S 46 8.0 10383:05 suricata
>> 23724 suricata 20 0 789m 589m 1620 S 44 15.2 11698:04 suricata
>>
>> Any tips would be appreciated howto tune suricata to better use
>> resources on this hardware. Current config is pretty much suricatas
>> default with most ET signatures enabed.
>>
>> Hopefully suricata manual will be out soon! :)
>>
>> Yours,
>>
>> Aki Heikkinen
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
--
--------------------------------------------------------------------------
Aki Heikkinen
Järjestelmäasiantuntija
KuusiSolutions
+358 40 7653740
www.kuusisolutions.fi
-------------------------------------------------------------------------
-
TÄRKEÄÄ! Tämä sähköposti on tarkoitettu vain nimetyille
vastaanottajille. Viesti voi sisältää luottamuksellista ja
tekijänoikeudellisesti suojattua tietoa. Viestin luvaton eteenpäin
lähettäminen ja muu käyttö on kiellettyä. Jos olet vastaanottanut tämän
viestin vahingossa, pyydämme sinua lähettämään sen takaisin meille ja
tuhoamaan kaikki kopiot. Kiitos!
-------------------------------------------------------------------------
More information about the Oisf-users
mailing list