Hallo All, I have been testing Core Update 153 on my VirtualBox VM test bed system. With Core 152 with no IPS the CPU is running around 0.7%. With IPS turned on it runs around 1.5%. With Core 153 with no IPS the CPU is running around 0.7% again. With IPS turned on it runs around 10.5%. The system info is:- IPFire version IPFire 2.25 (x86_64) - core153 Development Build: master/eaa90321 Pakfire version 2.25.1-x86_64 Kernel version Linux ipfire 4.14.211-ipfire #1 SMP Tue Dec 8 23:54:50 GMT 2020 x86_64 Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz GenuineIntel GNU/Linux Regards, Adolf Belka On 14/12/2020 16:58, Peter Müller wrote: > Hello Michael, hello Matthias, hello *, > > just for the records: I cannot reproduce this issue on two machines running Core Update 153 (testing) for a while now. > > Both have an Intel N3150 CPU and are running on x86_64 (no virtualisation), one of those is almost permanently under a significant network load. To be honest, it's CPU load actually _decreased_ a bit after installing Core Update 153, but I cannot pinpoint the reason for this at the moment. > > From my point of view, there is no need to downgrade to Suricata 5.x again. In terms of security, I dislike that idea as well, however, this seems to affect certain scenarios quite bad... > > Thanks, and best regards, > Peter Müller > > >> Hi, >> >>> On 12 Dec 2020, at 02:18, Kienker, Fred wrote: >>> >>> Matthas: >>> >>> I worked through some of the examples of the settings described in the >>> Suricata forum discussion. If my observations is correct, the issue >>> centers around the flow manager. A change to it has made a big >>> difference it the resource usage by this process. Its likely going to >>> come down to live with the load created the v6 version or revert to v5 >>> and wait for them to get to the bottom of this. No combination of >>> settings in the flow section of suricata.yaml ever seemed to reduce it >>> and instead increased it. >> >> Good research. >> >>> I don't use low power systems for IPFire and dont have access to one >>> but others with these systems may want to take a look at their >>> performance numbers and report back as to whether they can live with the >>> higher load. >> >> It is not directly low-power systems. >> >> I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more. >> >> I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon. >> >> Best, >> -Michael >> >>> >>> Best regards, >>> Fred >>> >>> Please note: Although we may sometimes respond to email, text and phone >>> calls instantly at all hours of the day, our regular business hours are >>> 9:00 AM - 6:00 PM ET, Monday thru Friday. >>> >>> -----Original Message----- >>> From: Matthias Fischer >>> Sent: Friday, December 11, 2020 6:34 PM >>> To: Kienker, Fred; michael.tremer ; >>> stefan.schantl >>> Cc: development >>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to >>> 5.0.4 >>> >>> Hi, >>> >>> looks as if there is something going on in the suricata forum regarding >>> cpu load: >>> >>> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706 >>> >>> I can't really interpret the numrous screenshots and ongoing >>> discussions, but could it be that this is related to what I'm >>> experiencing when upgrading from 5.0.x to 6.0.x? >>> >>> Best, >>> Matthias >>> >>> >>