[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Victor!

Performance is better, but not overwhelmingly so.  We can now run the
full ETPRO subscription with mostly double-digit idle times (as
displayed in top).  This was a long-time goal of mine.  Drop rate is
identical (under .5% over a week).

If you wanted a scientific analysis I would think the right thing to do
would be to record some traffic and then run it in offline mode with the
performance counters enabled.  Unfortunately this isn't something we can
do in our current configuration.

Memory use is a little higher, however we are running a somewhat unique
configuration regarding flow tracking.  %MEM does seem to be growing
slightly over time, by about 1% a day.

As an aside, I saw this on one of the programming boards I monitor.  Do
you think it would be possible to implement any of these techniques
within suricata's Boyer-Moore implementation (assuming they aren't already)?

> https://lists.freebsd.org/pipermail/freebsd-current/2010-August/019310.html

- -Coop

On 12/8/2015 9:12 AM, Victor Julien wrote:
> How does it compare to your normal performance? Are you seeing
> differences in memory use, drop rate, etc?
> 
> Thanks,
> Victor


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWZxxOAAoJEKIFRYQsa8FWNt8IALHGu7bZLNQZdZS72jANKo2G
5+l5yingk8ilDOlsZrXx7LaZk06XE8voGkUbSYu+LVdwtrv4zdUtRwMzDrk9m+sB
MSOSYR/ea46gf8subGLXyr+vat4Lx7UQjUHWiOacOKV/ZpvwKorAibC/H6ABxlYf
QRT5RbdwokyFFyz06J5m15QdIoUGL8Nb8eKVlscvHzB9eta5ymTPoRbPm6MgdVxW
z2gjP3aGT1maVew+U1Tz9860kZwe9/xqbei54nJxaS+wveN4a/ExZ4mC5+dsqkik
xJSvYsDjSbPFhd/f5wRMLCwbjSa2KPYlte86TzCHjqipiUVWIC8SetzXX/MvaLU=
=uNhP
-----END PGP SIGNATURE-----