[Oisf-users] Performance Issues

rmkml rmkml at yahoo.fr
Mon Oct 27 16:58:21 UTC 2014


Hi Yasha,

Sorry I didn't help,

but maybe you could enable wget ET sigs (2007961) and check if it's work every hour for example with simple 'wget --user-agent="wget 3.0" http://google.com'....
(on my example, don't forget check $HOME_NET... on this sig)

Do you have same pb with latest v2.0.4 ?

Regards
@Rmkml


On Mon, 27 Oct 2014, Yasha Zislin wrote:

> 
> [clear.gif] [clear.gif] [clear.gif] [clear.gif]
> 
> PERFORMANCE ISSUE
> 
> Hi,
> 
> I am having a weird performance issue with Suricata.
> I have Suricata 2.0.1 running on a beefy server (132gb of RAM, 40 Logical CPUs). It is monitoring two Span ports with mostly HTTP(S) traffic.
> Each interface approximately has 10 million packets per second throughput. I am using PF_RING to reduce packet loss.
> Suricata  has been running great. I've tweaked all of the buffers to reduce packet loss to 0%.
> Recently, I've noticed that number of alerts is way down from normal even with no packet loss. So I've tried restarting Suricata, and alerts went back to normal baseline.
> I need to find out what is going on. Not sure where to look.
> 
> Couple of things about my setup:
> - When Suricata starts, it is using 60 gb of RAM. I've noticed when alert count goes down, memory usage is at 105gb.
> - After Suricata service restart, it runs for about a day until alert count decreases.
> - All CPUs are kicking and at no stage does any single CPU gets to 100%.
> - I have 20 detection threads per interface.
> - I have 26k ruleset. I know it's big but since I got RAM, I've figured I should be ok.
> - Here is my stream section of the config:
> stream:
>   memcap: 60gb
>   checksum-validation: no      # reject wrong csums
>   inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically
>   prealloc-sessions: 2000000
>   midstream: false
>   asyn-oneside: false
>   reassembly:
>     memcap: 90gb
>     depth: 4mb                  # reassemble 1mb into a stream
>     toserver-chunk-size: 2560
>     toclient-chunk-size: 2560
>     randomize-chunk-size: yes
>     #randomize-chunk-range: 10
>     #raw: yes
>     chunk-prealloc: 3000000
>     segments:
>       - size: 4
>         prealloc: 15000
>       - size: 16
>         prealloc: 200000
>       - size: 112
>         prealloc: 400000
>       - size: 248
>         prealloc: 300000
>       - size: 512
>         prealloc: 200000
>       - size: 768
>         prealloc: 100000
>       - size: 1448
>         prealloc: 1000000
>       - size: 65535
>         prealloc: 400000
> 
> Thank you.
> 
>


More information about the Oisf-users mailing list