Project

General

Profile

Actions

Optimization #1242

closed

Huge performance decrease with /dev/zero traffic

Added by Andreas Herz over 10 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

There is a huge performance decrease with /dev/zero traffic and some activated Rules.

Suricata is used in inline mode:

suricata -c /etc/suricata/suricata.yaml -q 0

The setup is built with 4 machines, 2 clients and 2 servers that connect the 2 clients and on one server is suricata running.

The rules used are:

 - botcc.rules
 - ciarmy.rules
 - compromised.rules
 - drop.rules
 - dshield.rules
 - emerging-current_events.rules
 - emerging-malware.rules
 - emerging-mobile_malware.rules
 - emerging-scan.rules
 - emerging-trojan.rules
 - emerging-user_agents.rules
 - emerging-worm.rules

Some profiling output:
http://paste.geekosphere.org/TEb2ePqsSueyCSVu
http://paste.geekosphere.org/4HvILUUgf0IMMBq9

The test is made by creating 2 different testfiles:

dd if=/dev/zero of=testfile bs=1M count=4096
dd if=/dev/urandom of=testfile2 bs=1M count=4096

The transfer is made with netcat:
Client A:

nc -v -v -l -n -p 2222 >/dev/null

Client B:
pv -t -r -a -b testfile | nc -v -v -n $IP 2222 >/dev/null

The diff between testfile and testfile2 was 160Mbit/s to 40Mbit/s.
The same rules within snort don't decrease the performance like that.


Files

packet_stats.log.nc (3.67 KB) packet_stats.log.nc TCP (slow) traffic with zeros Andreas Herz, 07/22/2014 05:08 AM
packet_stats.log.http (4.48 KB) packet_stats.log.http HTTP (fast) traffic with zeros Andreas Herz, 07/22/2014 05:08 AM
zero.rules (69.6 KB) zero.rules Andreas Herz, 07/30/2014 04:06 AM
foobar.rules (1.71 KB) foobar.rules Andreas Herz, 07/30/2014 06:58 AM
Actions

Also available in: Atom PDF