[Oisf-users] number of alerts versus performance

Thu Jun 30 15:00:04 UTC 2016

On Thu, 2016-06-30 at 14:41 +0000, Yasha Zislin wrote:
> I have been trying to figure out a packet loss on one of my sensors
> and I am puzzled.
> 
> It is has 16 gigs of RAM, one quad core AMD CPU, and nic sees about 3
> million packets per minute. Nothing special in my mind. I am using
> PFRING 6.5.0 and Suricata 3.1.
> 
> I get about 20% to 40% packet loss.  I have another identical server
> which sees the same amount of traffic and maybe some of the same
> traffic as well.
> 
> I've been messing around with NIC settings, IRQs, PFRING settings,
> Suricata settings trying to figure out why such a high packet loss.
> 
> 
> I have just realized one big difference in these two sensors.
> Problematic one gets 2k to 4k of alerts per minute which sounds huge.
> 

Any particular sig that is alerting in excess ?

> Second one gets like 80 alerts per minute. Both have the same
> rulesets.
> 
> 
> The difference of course is the home_net variable.
> 
> 
> Can the fact that Suricata processes more rules due to HOME_NET
> definition cause high performance strain on the server? 
> 

Yes HOME_NET size has effect on performance as well (among other
things). For example - 
HOME_NET: "any"
EXTERNAL_NET: "any"
will certainly degrade your performance.

> 
> If the packet does not match per HOME_NET, it will be discarded before
> being processed in rules. Correct?
> 
> Versus if packet passes HOME_NET check, it would have to go through
> all of the rules, hence cause higher CPU utilization.
> 
> 
> Thank you for the clarification.
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

-- 
Regards,
Peter Manev