[Oisf-users] Suricata startup time
Yasha Zislin
coolyasha at hotmail.com
Mon Mar 14 17:29:19 UTC 2016
I am using Suricata 3.0 with a big ruleset of 34578 signatures.Depending on a sensor (with some config variations) service start up or reload can take up to 30 minutes.I understand that I have big ruleset. Also here is the relative config:detect-engine: - profile: custom - custom-values: toclient-src-groups: 200 toclient-dst-groups: 200 toclient-sp-groups: 200 toclient-dp-groups: 300 toserver-src-groups: 200 toserver-dst-groups: 400 toserver-sp-groups: 200 toserver-dp-groups: 250 - sgh-mpm-context: auto - inspection-recursion-limit: 3000
The longest step occurs on building signature grouping structure, stage 2: building source address list... complete
As far as I understand changing values in the above config helps improve CPU usage at the expense of RAM.
Does anybody know any way to improve performance with such ruleset and without increasing packet loss?
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160314/47ca6b24/attachment.html>
More information about the Oisf-users
mailing list