From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4 Date: Thu, 10 Dec 2020 20:36:10 +0100 Message-ID: <36845B64-6AF1-4387-9C90-45B3033D22F0@ipfire.org> In-Reply-To: <276ec94c-01ff-9bce-16ce-234a2336c4c7@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8540831259964199553==" List-Id: --===============8540831259964199553== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 10 Dec 2020, at 18:31, Matthias Fischer = wrote: >=20 > On 10.12.2020 14:39, Michael Tremer wrote: >> Hey Matthias, >=20 > Hi Michael, >=20 >> I checked but I cannot confirm this on my machine. >=20 > Hm... >=20 >> I also asked the others on the telephone conference and nobody saw anythin= g suspicious either. >>=20 >> What hardware are you using, and what rules are you using? >=20 > Hardware is an old IPFire Duo Box ( ;-) ). >=20 > Profile: > =3D> > https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8 >=20 > Today I - again - switched from 5.04 to 6.01 using Emerging Threats > Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See > attached screenshots. Okay, this looks bad. > Then I deactivated a few rules (first wave at 17:35) - activating only > 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and > 'emering-trojan' active. No change. Can you try to disable all rules and see if that makes a change? It would also be helpful to see if the CPU resources are being wasted on kern= el stuff (sys) or in the user land (user). According to the graph it is 50/50= . Can you confirm that? > Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No > change. Hm. >=20 > Any ideas? >=20 > Best, > Matthias -Michael >=20 >> Best, >> -Michael >>=20 >>> On 6 Dec 2020, at 11:08, Matthias Fischer = wrote: >>>=20 >>> Hi, >>>=20 >>> I'd like to have a little problem... ;-) >>>=20 >>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday it >>> was '6.0.1'. At that time I thought it might be a good idea to test the >>> current version. >>>=20 >>> So I built and tested these two one after another under Core 152/64bit. >>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and >>> installed too, yesterday to 0.5.36. >>>=20 >>> Both built without problems, both installed without problems, both >>> showed a strange behavior while running. >>>=20 >>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c >>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from >>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. >>> And I mean it. Idle. Nothing was going on. >>>=20 >>> Hardware: >>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43= ce8 >>>=20 >>> Can anyone confirm - or did I miss something? >>>=20 >>> Best, >>> Matthias >>=20 >=20 > --===============8540831259964199553==--