From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Date: Thu, 10 Dec 2020 20:36:10 +0100
Message-ID: <36845B64-6AF1-4387-9C90-45B3033D22F0@ipfire.org>
In-Reply-To: <276ec94c-01ff-9bce-16ce-234a2336c4c7@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8540831259964199553=="
List-Id: <development.lists.ipfire.org>

--===============8540831259964199553==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

> On 10 Dec 2020, at 18:31, Matthias Fischer <matthias.fischer(a)ipfire.org> =
wrote:
>=20
> On 10.12.2020 14:39, Michael Tremer wrote:
>> Hey Matthias,
>=20
> Hi Michael,
>=20
>> I checked but I cannot confirm this on my machine.
>=20
> Hm...
>=20
>> I also asked the others on the telephone conference and nobody saw anythin=
g suspicious either.
>>=20
>> What hardware are you using, and what rules are you using?
>=20
> Hardware is an old IPFire Duo Box ( ;-) ).
>=20
> Profile:
> =3D>
> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
>=20
> Today I - again - switched from 5.04 to 6.01 using Emerging Threats
> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See
> attached screenshots.

Okay, this looks bad.

> Then I deactivated a few rules (first wave at 17:35) - activating only
> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and
> 'emering-trojan' active. No change.

Can you try to disable all rules and see if that makes a change?

It would also be helpful to see if the CPU resources are being wasted on kern=
el stuff (sys) or in the user land (user). According to the graph it is 50/50=
. Can you confirm that?

> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No
> change. Hm.
>=20
> Any ideas?
>=20
> Best,
> Matthias

-Michael

>=20
>> Best,
>> -Michael
>>=20
>>> On 6 Dec 2020, at 11:08, Matthias Fischer <matthias.fischer(a)ipfire.org>=
 wrote:
>>>=20
>>> Hi,
>>>=20
>>> I'd like to have a little problem... ;-)
>>>=20
>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday it
>>> was '6.0.1'. At that time I thought it might be a good idea to test the
>>> current version.
>>>=20
>>> So I built and tested these two one after another under Core 152/64bit.
>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and
>>> installed too, yesterday to 0.5.36.
>>>=20
>>> Both built without problems, both installed without problems, both
>>> showed a strange behavior while running.
>>>=20
>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c
>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
>>> And I mean it. Idle. Nothing was going on.
>>>=20
>>> Hardware:
>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43=
ce8
>>>=20
>>> Can anyone confirm - or did I miss something?
>>>=20
>>> Best,
>>> Matthias
>>=20
>=20
> <htop.png><ids_with_vrt.png><load_per_day.png><load_per_hour.png>


--===============8540831259964199553==--