[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
Leonard Jacobs
ljacobs at netsecuris.com
Wed Jul 10 09:51:09 UTC 2013
We actually had problems with offloading enabled. We had our SSL VPN have issues such as slowness when offloading enabled on our Suricata system while af-packer IPS turned on. As soon as we disabled network interface offloading, the problem disappeared.
-----Original Message-----
From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Peter Manev
Sent: Wednesday, July 10, 2013 1:47 AM
To: Cooper F. Nelson
Cc: oisf-users
Subject: Re: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
>> Something similar happened to our testing machine but htere we fixed
>> it with loading the latest kernel drivers for the network card and
>> doing a " /etc/init.d/irqbalance restart "
>> and load balancing the UDP flow again - "
>> ethtool -n eth3 rx-flow-hash udp4
>> ethtool -g eth3
>> cat /proc/interrupts
>> "
>> on Ubuntu LTS - 3.2 kernel
>
> Question along those lines, what do the suricata devs feel about the
> various NIC offloading features re: interaction with suricata?
These, I think should be OFF in general. Suricata must be able to see the traffic as it is.
Again , if I may, irqbalance and udp balancing are very important.
>
> See: >
> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-
> not-full.html
>
> I had these features disabled as per this article; but I've re-enabled
> them for testing.
>
> - -Coop
>
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list