[Oisf-users] Multiple detect thread
Victor Julien
lists at inliniac.net
Tue Mar 18 11:15:28 UTC 2014
On 03/17/2014 09:29 AM, Victor Serbu wrote:
> I have tested suricata in the following setup:
>
> PC1 ---- Server(suricata) --- PC2.
> Interfaces of suricata server connected to PC1 and PC2 are part of a
> bridge and suricata was configured in IPS mode using NFQ,
> runmode=autofp and 6 detect threads.
>
> Then we started an iperf session between PC1 and PC2 and observed that
> one of Detect thread ocupy 100% core time. Does suricata can be
> configured to use multiple thread of type detect to analyze a single
> flow?
Currently not really. The 'auto' mode does this, but it's somewhat
unreliable wrt alert accuracy due to timing issues. Autofp and workers
both have the stream engine and detection engine in the same thread and
flow balancing makes sure that a flow is pinned on a specific thread.
Perhaps we can try adding a mode where the output (logs) are in their
own thread, but I'm not sure if that gains us much.
The runmodes are defined in code, so there is no easy way to experiment
with it currently.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list