[Oisf-users] Receive rate dropped
Jose Vila
jovimon at gmail.com
Tue Dec 16 09:28:15 UTC 2014
Hello list,
I'm moving from snort to Suricata, and I'm getting some problems.
Before I had Snort 2.9.3.1 w/PF_RING 5.5.0, and had to pass parameter
"--daq-var no-kernel-filters=1" to Snort because the packet receive rate
was slowly decreasing to the point of only 1/10 of the traffic being
processed by Snort.
Now with Suricata 2.0.3 and PF_RING 5.5.0 i'm seeing the same behaviour ...
If I count lines of log written to eve.json as Peter Manev does (see [1]),
at suricata's start i get 2K-5K logs per second, but after a couple of days
I only get 5-20 entries per second. Also, drop counters in stats.log turned
from less than 0.1% to around 10%.
Is there a way to pass this variable (no-kernel-filters) to PF_RING through
Suricata?
Thanks,
Jose Vila.
[1]
http://pevma.blogspot.com.es/2014/05/logs-per-second-on-evejson-good-and-bad.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141216/230201f6/attachment.html>
More information about the Oisf-users
mailing list