[Oisf-users] EXTERNAL: Fwd: Installing / Running Suricata with Myricom NICs

Peter Manev petermanev at gmail.com
Wed Apr 4 07:07:56 UTC 2018 

On Fri, Mar 30, 2018 at 6:15 PM, Chris Herdt <cherdt at umn.edu> wrote:
> We have started seeing the same behavior periodically on several interfaces
> after applying the most recent kernel update (3.10.0-693.21.1.el7.x86_64) on
> our sensors (running CentOS 7).
>
> Prior to this update, we did not observe this behavior in Suricata (we've
> been running this configuration since July 2017).
>
> We're running Suricata 3.2.5 with the v3.0.13 of the Myricom SNF drivers.
>

Would be better if you try latest stable - there is quite some
difference between 3.x and 4.x including in terms of performance.
Then confirm if you confirm the same behavior?
Probably enable per thread stats (in suricata.yaml) would give you
more info for the troubleshooting.

> We have a redundant set processing the same traffic and we do not see the
> same behavior on both sides at the same time, suggesting it is not related
> to a single flow.
>
> We have 10 cores pinned to each Suricata instance (1 management, 9 workers),
> and when this behavior occurs one of the worker cores pegs at 100%
> utilization while the other cores on the same instance drop down to <1%.
>
>
>
> On Mon, Feb 26, 2018 at 3:18 PM, Erich Lerch <erich.lerch at gmail.com> wrote:
>>
>> No... I mean, I didn't try.
>> But given the very low overall packet loss we experience (< 0.2%), it's
>> not one of my top priorities :-)
>>
>> Erich
>>
>> On 26.02.2018 22:12, Peter Manev wrote:
>> > On Mon, Feb 26, 2018 at 10:10 PM, Erich Lerch <erich.lerch at gmail.com>
>> > wrote:
>> >> Hi Zach
>> >>
>> >> Yes, happens here, too! Fortunately not too often, and only for a short
>> >> period of time, before it normalizes again.
>> >>
>> >> Never found out why exactly this happens, though.
>> >
>> >
>> > Is it possible to narrow it down by some flowinfo that is observed
>> > during the same period that it happens?
>> >
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
>
> --
> Chris Herdt
> Systems Administrator
> cherdt at umn.edu
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list