[Oisf-users] more tuning....
Peter Manev
petermanev at gmail.com
Thu Aug 21 19:10:21 UTC 2014
On Thu, Aug 21, 2014 at 6:58 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If you are using workers mode you should run it on all cores regardless.
>
> On 8/20/2014 9:55 PM, Russell Fulton wrote:
>>
>> On 21/08/2014, at 2:24 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>
>>> Top shows
>>>
>>> Cpu10 : 44.0%us, 13.9%sy, 1.8%ni, 36.6%id, 0.0%wa, 0.0%hi, 3.7%si, 0.0%st
>>> Cpu11 : 65.6%us, 7.7%sy, 1.4%ni, 20.0%id, 0.0%wa, 0.0%hi, 5.3%si, 0.0%st
>>> Cpu12 : 1.7%us, 1.7%sy, 92.7%ni, 0.7%id, 0.0%wa, 0.0%hi, 3.3%si, 0.0%st
>>> Cpu13 : 95.0%us, 0.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 4.7%si, 0.0%st
>>> Cpu14 : 93.4%us, 0.7%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 6.0%si, 0.0%st
>>> Cpu15 : 94.0%us, 0.7%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 5.3%si, 0.0%st
>>
>> Apologies, my bad!
>>
>> I was looking at the wrong config file, or more precisely I modified it on the puppet server and for various reasons to failed to get pushed to the sensor.
>>
How many rules do you load?
What is the output of :
cat /proc/net/pf_ring/info
You could try those and see if any difference for starters:
http://pastebin.com/A6KM4Mi3
(these are in mixed order, so please substitute in your yaml the
values - do not copy/paste :) )
Could you please share your suricata.yaml (without your networks) at a
pastebin or something similar? I suspect it will be easier to
troubleshoot.
thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list