Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2976 bytes --]

Hello Michael, hello Matthias, hello *,

just for the records: I cannot reproduce this issue on two machines 
running Core Update 153 (testing) for a while now.

Both have an Intel N3150 CPU and are running on x86_64 (no 
virtualisation), one of those is almost permanently under a significant 
network load. To be honest, it's CPU load actually _decreased_ a bit 
after installing Core Update 153, but I cannot pinpoint the reason for 
this at the moment.

 From my point of view, there is no need to downgrade to Suricata 5.x 
again. In terms of security, I dislike that idea as well, however, this 
seems to affect certain scenarios quite bad...

Thanks, and best regards,
Peter Müller


> Hi,
> 
>> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
>>
>> Matthas:
>>
>> I worked through some of the examples of the settings described in the
>> Suricata forum discussion. If my observations is correct, the issue
>> centers around the flow manager. A change to it has made a big
>> difference it the resource usage by this process. Its likely going to
>> come down to live with the load created the v6 version or revert to v5
>> and wait for them to get to the bottom of this. No combination of
>> settings in the flow section of suricata.yaml ever seemed to reduce it
>> and instead increased it.
> 
> Good research.
> 
>> I don't use low power systems for IPFire and dont have access to one
>> but others with these systems may want to take a look at their
>> performance numbers and report back as to whether they can live with the
>> higher load.
> 
> It is not directly low-power systems.
> 
> I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
> 
> I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
> 
> Best,
> -Michael
> 
>>
>> Best regards,
>> Fred
>>
>> Please note: Although we may sometimes respond to email, text and phone
>> calls instantly at all hours of the day, our regular business hours are
>> 9:00 AM - 6:00 PM ET, Monday thru Friday.
>>
>> -----Original Message-----
>> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> Sent: Friday, December 11, 2020 6:34 PM
>> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
>> stefan.schantl <stefan.schantl(a)ipfire.org>
>> Cc: development <development(a)lists.ipfire.org>
>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
>> 5.0.4
>>
>> Hi,
>>
>> looks as if there is something going on in the suricata forum regarding
>> cpu load:
>>
>> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
>>
>> I can't really interpret the numrous screenshots and ongoing
>> discussions, but could it be that this is related to what I'm
>> experiencing when upgrading from 5.0.x to 6.0.x?
>>
>> Best,
>> Matthias
>>
>>
>