[Oisf-users] Suricata startup time
Peter Manev
petermanev at gmail.com
Tue Mar 15 15:47:33 UTC 2016
On Mon, Mar 14, 2016 at 10:29 AM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> I am using Suricata 3.0 with a big ruleset of 34578 signatures.
> Depending on a sensor (with some config variations) service start up or
> reload can take up to 30 minutes.
> I understand that I have big ruleset. Also here is the relative config:
> detect-engine:
> - profile: custom
> - custom-values:
> toclient-src-groups: 200
> toclient-dst-groups: 200
> toclient-sp-groups: 200
> toclient-dp-groups: 300
> toserver-src-groups: 200
> toserver-dst-groups: 400
> toserver-sp-groups: 200
> toserver-dp-groups: 250
> - sgh-mpm-context: auto
> - inspection-recursion-limit: 3000
>
> The longest step occurs on
> building signature grouping structure, stage 2: building source address
> list... complete
>
> As far as I understand changing values in the above config helps improve CPU
> usage at the expense of RAM.
>
> Does anybody know any way to improve performance with such ruleset and
> without increasing packet loss?
>
This is a known issue in certain conditions that has been addressed in
this branch (soon to make it to stable) -
https://github.com/inliniac/suricata/tree/dev-detect-grouping-v185
Definitely worth a try ! :)
> Thank you.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list