[Oisf-users] Suricata load/latency spikes
Oliver Humpage
oliver at watershed.co.uk
Mon Jun 29 19:53:59 UTC 2015
On 29 Jun 2015, at 18:29, <robert.jamison at bt.com> <robert.jamison at bt.com> wrote:
> My suspicion is, (and this is really just instinct) that there is a latency caused by something in the DNS side of things,
Would a good way to test that be to disable the DNS rules and decoder in suricata.yaml and see what happens? I'm assuming suricata doesn't do DNS lookups itself (just GeoIP possibly).
Thinking about it, this router is on a new connection, and all DNS traffic should still be going to our old DNS servers on the old connection, so there should be roughly no DNS traffic at all. I'll check the pcap for port 53 tomorrow.
Also, on either side of this IPS are instances of pf that are scrubbing/cleaning/reassembling the traffic, so suricata should be getting a pretty clean feed. I can't see any evidence of SYN floods, but I might switch on pf's synproxy to make sure.
In my investigations today I've found that although the worst/longest-lived problems only happen twice a day, short bursts of high latency are happening many times an hour. I've got a script running that says if 3 pings in a row to the neighbouring router take more than 100ms each, take a pcap of the next few thousand packets, and it's triggering on average every ~10 minutes. I suppose that might miss the actual traffic that causes the problem, maybe I'll take constant pcap snapshots and tag the ones that occur as a spike happens...
Oliver.
More information about the Oisf-users
mailing list