From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4 Date: Mon, 14 Dec 2020 15:58:33 +0000 Message-ID: <10a736f6-bb62-6b85-d424-b9f3d31831d5@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2210245779511244001==" List-Id: --===============2210245779511244001== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, hello Matthias, hello *, just for the records: I cannot reproduce this issue on two machines=20 running Core Update 153 (testing) for a while now. Both have an Intel N3150 CPU and are running on x86_64 (no=20 virtualisation), one of those is almost permanently under a significant=20 network load. To be honest, it's CPU load actually _decreased_ a bit=20 after installing Core Update 153, but I cannot pinpoint the reason for=20 this at the moment. From my point of view, there is no need to downgrade to Suricata 5.x=20 again. In terms of security, I dislike that idea as well, however, this=20 seems to affect certain scenarios quite bad... Thanks, and best regards, Peter M=C3=BCller > Hi, >=20 >> On 12 Dec 2020, at 02:18, Kienker, Fred wrote: >> >> Matthas: >> >> I worked through some of the examples of the settings described in the >> Suricata forum discussion. If my observations is correct, the issue >> centers around the flow manager. A change to it has made a big >> difference it the resource usage by this process. Its likely going to >> come down to live with the load created the v6 version or revert to v5 >> and wait for them to get to the bottom of this. No combination of >> settings in the flow section of suricata.yaml ever seemed to reduce it >> and instead increased it. >=20 > Good research. >=20 >> I don't use low power systems for IPFire and dont have access to one >> but others with these systems may want to take a look at their >> performance numbers and report back as to whether they can live with the >> higher load. >=20 > It is not directly low-power systems. >=20 > I launched this on AWS today and the CPU load is immediately at 25%. It was= mentioned on the linked thread that virtual systems are affected more. >=20 > I would now rather lean towards reverting suricata 6 unless there is a hot = fix available soon. >=20 > Best, > -Michael >=20 >> >> Best regards, >> Fred >> >> Please note: Although we may sometimes respond to email, text and phone >> calls instantly at all hours of the day, our regular business hours are >> 9:00 AM - 6:00 PM ET, Monday thru Friday. >> >> -----Original Message----- >> From: Matthias Fischer >> Sent: Friday, December 11, 2020 6:34 PM >> To: Kienker, Fred; michael.tremer ; >> stefan.schantl >> Cc: development >> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to >> 5.0.4 >> >> Hi, >> >> looks as if there is something going on in the suricata forum regarding >> cpu load: >> >> =3D> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706 >> >> I can't really interpret the numrous screenshots and ongoing >> discussions, but could it be that this is related to what I'm >> experiencing when upgrading from 5.0.x to 6.0.x? >> >> Best, >> Matthias >> >> >=20 --===============2210245779511244001==--