[Oisf-users] Performance Issues
Yasha Zislin
coolyasha at hotmail.com
Mon Oct 27 16:43:13 UTC 2014
Performance issueHi,
I am having a weird performance issue with Suricata.I have Suricata 2.0.1 running on a beefy server (132gb of RAM, 40 Logical CPUs). It is monitoring two Span ports with mostly HTTP(S) traffic.Each interface approximately has 10 million packets per second throughput. I am using PF_RING to reduce packet loss.Suricata has been running great. I've tweaked all of the buffers to reduce packet loss to 0%.Recently, I've noticed that number of alerts is way down from normal even with no packet loss. So I've tried restarting Suricata, and alerts went back to normal baseline.I need to find out what is going on. Not sure where to look.Couple of things about my setup:- When Suricata starts, it is using 60 gb of RAM. I've noticed when alert count goes down, memory usage is at 105gb.- After Suricata service restart, it runs for about a day until alert count decreases.- All CPUs are kicking and at no stage does any single CPU gets to 100%.- I have 20 detection threads per interface.- I have 26k ruleset. I know it's big but since I got RAM, I've figured I should be ok.- Here is my stream section of the config:stream: memcap: 60gb checksum-validation: no # reject wrong csums inline: no # auto will use inline mode in IPS mode, yes or no set it statically prealloc-sessions: 2000000 midstream: false asyn-oneside: false reassembly: memcap: 90gb depth: 4mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 #raw: yes chunk-prealloc: 3000000 segments: - size: 4 prealloc: 15000 - size: 16 prealloc: 200000 - size: 112 prealloc: 400000 - size: 248 prealloc: 300000 - size: 512 prealloc: 200000 - size: 768 prealloc: 100000 - size: 1448 prealloc: 1000000 - size: 65535 prealloc: 400000Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141027/c1f90c04/attachment.html>
More information about the Oisf-users
mailing list