[Oisf-users] Performance Issues
rmkml
rmkml at yahoo.fr
Mon Oct 27 16:58:21 UTC 2014
Hi Yasha,
Sorry I didn't help,
but maybe you could enable wget ET sigs (2007961) and check if it's work every hour for example with simple 'wget --user-agent="wget 3.0" http://google.com'....
(on my example, don't forget check $HOME_NET... on this sig)
Do you have same pb with latest v2.0.4 ?
Regards
@Rmkml
On Mon, 27 Oct 2014, Yasha Zislin wrote:
>
> [clear.gif] [clear.gif] [clear.gif] [clear.gif]
>
> PERFORMANCE ISSUE
>
> Hi,
>
> I am having a weird performance issue with Suricata.
> I have Suricata 2.0.1 running on a beefy server (132gb of RAM, 40 Logical CPUs). It is monitoring two Span ports with mostly HTTP(S) traffic.
> Each interface approximately has 10 million packets per second throughput. I am using PF_RING to reduce packet loss.
> Suricata has been running great. I've tweaked all of the buffers to reduce packet loss to 0%.
> Recently, I've noticed that number of alerts is way down from normal even with no packet loss. So I've tried restarting Suricata, and alerts went back to normal baseline.
> I need to find out what is going on. Not sure where to look.
>
> Couple of things about my setup:
> - When Suricata starts, it is using 60 gb of RAM. I've noticed when alert count goes down, memory usage is at 105gb.
> - After Suricata service restart, it runs for about a day until alert count decreases.
> - All CPUs are kicking and at no stage does any single CPU gets to 100%.
> - I have 20 detection threads per interface.
> - I have 26k ruleset. I know it's big but since I got RAM, I've figured I should be ok.
> - Here is my stream section of the config:
> stream:
> memcap: 60gb
> checksum-validation: no # reject wrong csums
> inline: no # auto will use inline mode in IPS mode, yes or no set it statically
> prealloc-sessions: 2000000
> midstream: false
> asyn-oneside: false
> reassembly:
> memcap: 90gb
> depth: 4mb # reassemble 1mb into a stream
> toserver-chunk-size: 2560
> toclient-chunk-size: 2560
> randomize-chunk-size: yes
> #randomize-chunk-range: 10
> #raw: yes
> chunk-prealloc: 3000000
> segments:
> - size: 4
> prealloc: 15000
> - size: 16
> prealloc: 200000
> - size: 112
> prealloc: 400000
> - size: 248
> prealloc: 300000
> - size: 512
> prealloc: 200000
> - size: 768
> prealloc: 100000
> - size: 1448
> prealloc: 1000000
> - size: 65535
> prealloc: 400000
>
> Thank you.
>
>
More information about the Oisf-users
mailing list