Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve efficiency of Suricata processing uploaded PCAP files #457

Open
mmguero opened this issue Nov 5, 2024 · 0 comments
Open

improve efficiency of Suricata processing uploaded PCAP files #457

mmguero opened this issue Nov 5, 2024 · 0 comments
Assignees
@jjrush
Labels
performance Related to speed/performance suricata Relating to Malcolm's use of Suricata upload Relating to PCAP and/or Zeek log ingestion
Milestone
v24.12.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 5, 2024

@mmguero cloned issue idaholab/Malcolm#325 on 2024-01-08:

Currently as uploaded PCAP files are processed, each PCAP file results in a new suricata process for that PCAP file.

This is the same behavior for Zeek and Arkime capture; however, suricata seems to have more overhead (I often notice that suricata is still running on a batch of uploaded PCAP files long after the others are done).

I came across this thread describing using suricata socket control to send PCAP files to a single long-running suricata process, then output each eve.json to a different directory per-PCAP. This would be an improvement.
@mmguero mmguero added performance Related to speed/performance suricata Relating to Malcolm's use of Suricata upload Relating to PCAP and/or Zeek log ingestion labels Nov 5, 2024
@mmguero mmguero mentioned this issue Nov 5, 2024
Closed
@mmguero mmguero added this to Malcolm Nov 5, 2024
@mmguero mmguero moved this to In Progress in Malcolm Nov 5, 2024
@mmguero mmguero added this to the v24.11.0 milestone Nov 5, 2024
@mmguero mmguero modified the milestones: v24.11.0, v24.12.0 Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jjrush jjrush

Labels
performance Related to speed/performance suricata Relating to Malcolm's use of Suricata upload Relating to PCAP and/or Zeek log ingestion
Projects
Malcolm
Status: In Progress
Milestone
v24.12.0
Development

No branches or pull requests
2 participants
@mmguero @jjrush