Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3596 bytes --]

Hi,

confirmed.

As I use to say: "Welcome to the club"! ;-)

Running 'suricata 6.0.1 - but now I deactivated ALL rules.

But: no rules, no change, CPU load is still much to high. In idle mode!
NO traffic.

@Fred:
Graphs are almost identical to yours.

Who writes the bug report?

FYI:
I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to
see what will happen.

Best,
Matthias

On 11.12.2020 16:20, Kienker, Fred wrote:
> I am hoping this is the correct place to report C153 testing results. 
> Otherwise I will open a topic on the forum if you prefer.
> 
> After updating a testing firewall from C152 Stable to C153 Testing, a 
> significant increase in CPU load was observed as reported by others - 
> see the attached graphs. The htop also shows Suricata as the 3 top 
> processes No changes were made to the Suricata settings in the before 
> and after.
> 
> This system is has enough processing power so it is not an issue, but it 
> could be a problem on low powered systems.
> 
> Machine specs:
>   Dell PowerEdge R420
>   Intel(R) Xeon(R) CPU E5-2430
>   24 GB RAM	
> 
> Best regards, 
> Fred
> 
> -----Original Message-----
> From: Matthias Fischer <matthias.fischer(a)ipfire.org> 
> Sent: Thursday, December 10, 2020 12:32 PM
> To: Michael Tremer <michael.tremer(a)ipfire.org>; Stefan Schantl 
> <stefan.schantl(a)ipfire.org>
> Cc: IPFire: Development-List <development(a)lists.ipfire.org>
> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 
> 5.0.4
> 
> On 10.12.2020 14:39, Michael Tremer wrote:
>> Hey Matthias,
> 
> Hi Michael,
> 
>> I checked but I cannot confirm this on my machine.
> 
> Hm...
> 
>> I also asked the others on the telephone conference and nobody saw 
> anything suspicious either.
>> 
>> What hardware are you using, and what rules are you using?
> 
> Hardware is an old IPFire Duo Box ( ;-) ).
> 
> Profile:
> =>
> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
> 
> Today I - again - switched from 5.04 to 6.01 using Emerging Threats 
> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See 
> attached screenshots.
> 
> Then I deactivated a few rules (first wave at 17:35) - activating only 
> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 
> 'emering-trojan' active. No change.
> 
> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No 
> change. Hm.
> 
> Any ideas?
> 
> Best,
> Matthias
> 
>> Best,
>> -Michael
>> 
>>> On 6 Dec 2020, at 11:08, Matthias Fischer 
> <matthias.fischer(a)ipfire.org> wrote:
>>> 
>>> Hi,
>>> 
>>> I'd like to have a little problem... ;-)
>>> 
>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday 
>>> it was '6.0.1'. At that time I thought it might be a good idea to 
>>> test the current version.
>>> 
>>> So I built and tested these two one after another under Core 
> 152/64bit.
>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated 
>>> and installed too, yesterday to 0.5.36.
>>> 
>>> Both built without problems, both installed without problems, both 
>>> showed a strange behavior while running.
>>> 
>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c 
>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from 
>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
>>> And I mean it. Idle. Nothing was going on.
>>> 
>>> Hardware:
>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803
>>> 0f43ce8
>>> 
>>> Can anyone confirm - or did I miss something?
>>> 
>>> Best,
>>> Matthias
>> 
> 
> 
>