[Oisf-users] Suricata load/latency spikes
Victor Julien
lists at inliniac.net
Mon Jun 29 15:03:42 UTC 2015
On 06/29/2015 05:01 PM, Oliver Humpage wrote:
>
> On 29 Jun 2015, at 14:37, robert.jamison at bt.com wrote:
>
>> The only non-trivial difference in the before and after stats is that dns.memuse increases by a factor of 3x.
>
> That's pretty much what I thought too. But it's still only a tiny amount, so probably not the issue.
>
> I've been using systat to look at PPS, and although sometimes I can see latency increase with PPS, at other times I can see PPS get to nearly 10x above the background average and no ill effects (4k as opposed to normal 0.5k). So it's not purely PPS, and it's not anything stats.log can point at.
>
> I might start commenting out rulesets one at a time to see if any particular sets are causing issues.
>
> If anyone else has any ideas, do shout :)
Enabling packet profiling (configure with --enable-profiling) gives you
a break down of where suricata spends most time in the packet path,
broken down by protocol.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list