[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

[Victor Julien]

On 04-12-15 18:03, Cooper F. Nelson wrote:
> We are running the grouping code branch as well, ~7gbit traffic
> and sampling port 80 flows.  Using groups of 1000.
> 
> Performance so far is very good, currently running 27,568 ETPRO
> signatures.

How does it compare to your normal performance? Are you seeing
differences in memory use, drop rate, etc?

Thanks,
Victor


> On 12/3/2015 4:56 PM, Michal Purzynski wrote:
>> I kind of feel responsible here and should answer this question.
> 
>> The grouping code branch will make it to Suricata post 3.0. Give.
>> The new release schedule, this should be quick.
> 
>> I'm testing it on production traffic, more than 20gbit, two
>> sensors (peak, but frequent, long and crazy. Average is between 3
>> to 6gbit/sec).
> 
>> In order to stress the code I run it with even more insane
>> settings, like this
> 
>> detect-engine: - profile: custom - custom-values: 
>> toclient-src-groups: 2000 toclient-dst-groups: 2000 
>> toclient-sp-groups: 2000 toclient-dp-groups: 3000 
>> toserver-src-groups: 2000 toserver-dst-groups: 4000 
>> toserver-sp-groups: 2000 toserver-dp-groups: 2500 -
>> sgh-mpm-context: full - inspection-recursion-limit: 3000 -
>> rule-reload: true
> 
>> Note - do not try this at home. Or work. It kills kittens on 2.x
> 
>> And it just works on the new branch that's yet to be merged :)
> 
>> Note - I have over 16500 rules now.
> 
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------