[Oisf-users] Performance Issues

Yasha Zislin coolyasha at hotmail.com
Mon Oct 27 16:43:13 UTC 2014

Performance issueHi,
I am having a weird performance issue with Suricata.I have Suricata 2.0.1 running on a beefy server (132gb of RAM, 40 Logical CPUs). It is monitoring two Span ports with mostly HTTP(S) traffic.Each interface approximately has 10 million packets per second throughput. I am using PF_RING to reduce packet loss.Suricata  has been running great. I've tweaked all of the buffers to reduce packet loss to 0%.Recently, I've noticed that number of alerts is way down from normal even with no packet loss. So I've tried restarting Suricata, and alerts went back to normal baseline.I need to find out what is going on. Not sure where to look.Couple of things about my setup:- When Suricata starts, it is using 60 gb of RAM. I've noticed when alert count goes down, memory usage is at 105gb.- After Suricata service restart, it runs for about a day until alert count decreases.- All CPUs are kicking and at no stage does any single CPU gets to 100%.- I have 20 detection threads per interface.- I have 26k ruleset. I know it's big but since I got RAM, I've figured I should be ok.- Here is my stream section of the config:stream:  memcap: 60gb  checksum-validation: no      # reject wrong csums  inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically  prealloc-sessions: 2000000  midstream: false  asyn-oneside: false  reassembly:    memcap: 90gb    depth: 4mb                  # reassemble 1mb into a stream    toserver-chunk-size: 2560    toclient-chunk-size: 2560    randomize-chunk-size: yes    #randomize-chunk-range: 10    #raw: yes    chunk-prealloc: 3000000    segments:      - size: 4        prealloc: 15000      - size: 16        prealloc: 200000      - size: 112        prealloc: 400000      - size: 248        prealloc: 300000      - size: 512        prealloc: 200000      - size: 768        prealloc: 100000      - size: 1448        prealloc: 1000000      - size: 65535        prealloc: 400000Thank you. 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141027/c1f90c04/attachment.html>

More information about the Oisf-users mailing list