[Oisf-users] Suricata performance in parallel instances!!!
Anoop Saldanha
poonaatsoc at gmail.com
Sun Jun 19 08:21:07 UTC 2011
On Thu, Jun 2, 2011 at 11:39 AM, Abhishek Sharma <abhisheksharma84 at gmail.com
> wrote:
> Hi Team,
>
> Firstly, I am mighty pleased and impressed with this tool!!! way better
> than snort!!
>
> What I am trying to achieve here is to parse pcap files at the rate of 500
> MB Pcaps / Second. I have pcaps of the size of 1 GB available with me. I
> have close to 50 rules only. All TCP. Now, if I parse one file with Suricata
> it takes me approximately 3.5 seconds to do so. I am using a 24 core server
> with 47 GB RAM. I am running Ubuntu 10 platform. I believe the machine is
> strong enough.
>
> Now 3.5 secs for 1 GB file is good...no denying. But I have to achieve a
> speed of 500 Mbps and for that I have to parse a file in under 2 seconds. So
> what I did was to run two instances of Suricata in parallel (assuming two
> instances should finish in 3.5 seconds as its a fairly strong machine), but
> to my surprise (and dismay), it took me 7 seconds to process!!! for 3
> instnaces it takes close to 9 secs!! So basically running a instance in
> parallel just adds up the time. I dont understand this. I have disabled all
> logging...Tried all search algorithms...played with the multithreading
> concept but its not helping either....
>
> Please help this is my only hope...any suggestions are most appreciated...
>
> Cheers!
> Abhi
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
Try setting max-pending-packets(in the yaml file) to something like 5k-10k
--
Regards,
Anoop Saldanha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110619/fc047fd5/attachment-0002.html>
More information about the Oisf-users
mailing list