Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve efficiency of Suricata processing uploaded PCAP files #325

Closed
mmguero opened this issue Jan 8, 2024 · 1 comment
Closed

improve efficiency of Suricata processing uploaded PCAP files #325

mmguero opened this issue Jan 8, 2024 · 1 comment
Assignees
@jjrush
Labels
performance Related to speed/performance suricata Relating to Malcolm's use of Suricata upload Relating to PCAP and/or Zeek log ingestion
Milestone
v24.11.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Jan 8, 2024

Currently as uploaded PCAP files are processed, each PCAP file results in a new suricata process for that PCAP file.

This is the same behavior for Zeek and Arkime capture; however, suricata seems to have more overhead (I often notice that suricata is still running on a batch of uploaded PCAP files long after the others are done).

I came across this thread describing using suricata socket control to send PCAP files to a single long-running suricata process, then output each eve.json to a different directory per-PCAP. This would be an improvement.
@mmguero mmguero added upload Relating to PCAP and/or Zeek log ingestion performance Related to speed/performance suricata Relating to Malcolm's use of Suricata labels Jan 8, 2024
@mmguero mmguero added this to Malcolm Jan 8, 2024
@mmguero mmguero moved this to Todo (design) in Malcolm Jan 8, 2024
@mmguero mmguero modified the milestones: z.staging, v24.03.0 Jan 15, 2024
@mmguero mmguero modified the milestones: v24.03.0, v24.04.0 Feb 15, 2024
@mmguero mmguero modified the milestones: v24.03.1, v24.04.0, z.staging Mar 14, 2024
@mmguero mmguero modified the milestones: z.staging, v24.05.0 Mar 27, 2024
@mmguero mmguero modified the milestones: v24.05.0, z.staging Apr 29, 2024
@mmguero mmguero modified the milestone: z.staging Aug 20, 2024
@mmguero mmguero removed this from the z.staging milestone Oct 1, 2024
@mmguero mmguero added this to the z.staging milestone Oct 23, 2024
@mmguero mmguero modified the milestones: z.staging, v24.11.0 Oct 23, 2024
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

Kamino closed and cloned this issue to cisagov/Malcolm

@mmguero mmguero mentioned this issue Nov 5, 2024
Open
@mmguero mmguero closed this as completed Nov 5, 2024
@github-project-automation github-project-automation bot moved this from Todo (design) to Done in Malcolm Nov 5, 2024
@mmguero mmguero moved this from Done to Migrated in Malcolm Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jjrush jjrush

Labels
performance Related to speed/performance suricata Relating to Malcolm's use of Suricata upload Relating to PCAP and/or Zeek log ingestion
Projects
Malcolm
Status: Migrated
Milestone
v24.11.0
Development

No branches or pull requests
2 participants
@mmguero @jjrush