[Oisf-users] high cpu loads running multiple suricata instances
Will Metcalf
william.metcalf at gmail.com
Wed Jul 21 01:45:22 UTC 2010
> Suricata is running inline as IPS, on a multirouting linux
> firewall/router which has many internal networks behind it (vlans over
> trunked gigabit connections to core switches, WANs directly connected to
> two separate dual fast ethernet cards). Mainly just cleaning up LANs <->
> WANs, open WLAN <-> WANs and WANs <-> DMZs traffic, also some internal
> traffic is screened. Iow, very different configs, hard to see how this
> could be achieved with single suricata running.
Ok I suggest you create your own runmode then, until we can make this
more configurable at run time. See runmodes.{c,h}
> Setup was originally made for multiple snort_inline instances, and
> suricata is now running as a drop-in-replacement until can make some
> time for larger system revamp (maybe next summer). Suricata instances
> are not tied to cores and are taxing CPUs heavily which is not ideal,
> but end-user experience is better - pages from internet and DMZs load
> quicker. Internal non-nfqueued traffic is flowing without hickups,
> kernel scheduler should give precedence over userspace applications anyway.
> I realize it's not intended way to use suricata but it sure works. Could
> tune it though as the basic setup seems solid.
>
> Still at loss why idle instances (not a single packet through nfqueue)
> eat up CPU cycles so viciously.
Do you see this with one suricata process? there are managment
functions etc that have a small amount of overhead but I don't see the
behavior you speak of locally. Maybe if you could provide some more
details (offline perhaps) we could further assist you. Although I
can't think that having 120 detect threads (default thread ratio)
across 10 disparate suricata processes is helping any ;-)
Regards,
Will
More information about the Oisf-users
mailing list