[Oisf-users] Suricata 2.1beta3 vs 2.0.7

Yasha Zislin coolyasha at hotmail.com
Fri May 1 19:24:38 UTC 2015


I think I've done that before and it was less that 96% of my RAM.

All memcaps together equal to 58 gigs (I have 140gigs total RAM).
Also PFRING utilizes some RAM. When 2.0.7 starts it is using 50% of RAM. After couple of days it gets to 96% and stays there.

> Date: Fri, 1 May 2015 15:15:31 +0200
> Subject: Re: [Oisf-users] Suricata 2.1beta3 vs 2.0.7
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: modversion at gmail.com; oisf-users at lists.openinfosecfoundation.org
> 
> On Fri, May 1, 2015 at 3:05 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > Correct.
> >
> > I've also tried a slight different version of the config to add MODBUS
> > functionality and change toserver to dp for the ports in application layer
> > detection section of the config file. I've basically compared config that
> > came with the beta version to make sure things are correct and I am no using
> > depricated stuff. Either way, the same result.
> >
> > It feels like something changed with memory. beta version is only using
> > about 40% of RAM but 2.0.7 is using 96%. It could be the reason for the
> > packet loss on beta.
> 
> So is your memcap sum total in your yaml equal to that 40% or to the
> 96% you are mentioning? (or that is irrelevant?)
> 
> > Just thinking out loud.
> >
> > Thanks.
> >
> >> Date: Fri, 1 May 2015 12:10:40 +0200
> >> Subject: Re: [Oisf-users] Suricata 2.1beta3 vs 2.0.7
> >> From: petermanev at gmail.com
> >> To: coolyasha at hotmail.com
> >> CC: modversion at gmail.com; oisf-users at lists.openinfosecfoundation.org
> >
> >>
> >> On Thu, Apr 30, 2015 at 5:13 PM, Yasha Zislin <coolyasha at hotmail.com>
> >> wrote:
> >> > I am inspecting two span ports. Each has about 15 million packets per
> >> > minute, mostly HTTP. Bandwidth is about 2 Gbps on each.
> >> >
> >> > I've noticed one new message on startup with beta version.
> >> > VLAN disabled, setting cluster type to CLUSTER_FLOW_5_TUPLE
> >> >
> >> > Not sure if this has any effect.
> >> >
> >> >
> >> > ________________________________
> >> > Date: Thu, 30 Apr 2015 23:10:09 +0800
> >> > Subject: Re: [Oisf-users] Suricata 2.1beta3 vs 2.0.7
> >> > From: modversion at gmail.com
> >> > To: coolyasha at hotmail.com
> >> > CC: oisf-users at lists.openinfosecfoundation.org
> >> >
> >> >
> >> > It seems that 2.0.7 work better than 2.1beta3.
> >> > What's the bandwidth you protect by suricata ? 10Gbps or 20Gbps ?
> >> >
> >> > 2015-04-30 23:00 GMT+08:00 Yasha Zislin <coolyasha at hotmail.com>:
> >> >
> >> > I have tweaked my configuration to have Suricata 2.0.7 run with minimal
> >> > packet loss less than 0.01%. This set up does use a ton of RAM 95% of
> >> > 140GB.
> >> > As soon as I switch to Suricata 2.1beta3 and run it with the same
> >> > config, I
> >> > get 50% packet loss but RAM utilization stays around 50%.
> >> >
> >> > What was changed to have such a big impact?
> >>
> >> Just to confirm - you are running the same Suricata config the only
> >> thing you have changed is suricata from 2.0.7 to 2.1beta3, correct?
> >> (nothing else)
> >>
> >> >
> >> > P.S. I am using PF_RING.
> >> >
> >> > Thanks.
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > Suricata User Conference November 4 & 5 in Barcelona:
> >> > http://oisfevents.net
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > Suricata User Conference November 4 & 5 in Barcelona:
> >> > http://oisfevents.net
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> 
> 
> 
> -- 
> Regards,
> Peter Manev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150501/e7992b2d/attachment-0002.html>


More information about the Oisf-users mailing list