Suricata Inline high CPU with no rules
-
Hi guys
As per the title of this post, when I enable Suricata in inline mode, even with all rules disabled, the CPU runs mega high.
I have a 500mbps glass fibre, but when I enable Suricata it gets limited to 200mbps both ways.
Disabling Suricata and I get my full speed again (more actually, I'm hitting around 600mbps both ways).
So, I was going to try and figure out which rules were pushing the CPU so high, starting by disabling them all, but even with all disabled or all enabled it gets capped around 200mbps.
Am I doing something wrong?
Thanks
Matt -
Ok I've "Fixed" it, I suppose. Changed this…
Detection Engine Settings
Max Pending PacketsBack from 4096 to 1024
Now CPU goes to 90% but is able to maintain full 500mbps with 90% CPU and all rules enabled
Just FYI
Anyone any advice or tips they would be greatly welcome
-
:-( I take it back. 2 minutes later it's back to 200mbps. I think just restarting the interface fooled me/it for a moment while all the rules etc were being loaded.
So I'm back to a 200mbps limit now and don't know how to increase it
-
What kind of hardware are you running? What is the type and speed of the CPU and how much RAM?
Suricata needs CPU, and the higher the packet load the more CPU it needs to keep up. Granted with no rules enabled it should not need nearly as much, though. Might be an issue with your NIC drivers and the Netmap module in FreeBSD. As as been said in this forum about a thousand times, inline IPS mode uses the experimental Netmap kernel interface. Some NICs don't work with Netmap at all, and others work in a buggy fashion. Your NICs might be one of the latter.
Put Suricata in Legacy Blocking Mode and see what the throughput is then. This will isolate the problem down and hopefully show Netmap compatibility as the culprit.
Bill