From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4 Date: Fri, 11 Dec 2020 17:00:57 +0100 Message-ID: <69b700f2-fb04-4ad0-e673-f9c70fb9976c@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9050783670614837766==" List-Id: --===============9050783670614837766== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi, confirmed. As I use to say: "Welcome to the club"! ;-) Running 'suricata 6.0.1 - but now I deactivated ALL rules. But: no rules, no change, CPU load is still much to high. In idle mode! NO traffic. @Fred: Graphs are almost identical to yours. Who writes the bug report? FYI: I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to see what will happen. Best, Matthias On 11.12.2020 16:20, Kienker, Fred wrote: > I am hoping this is the correct place to report C153 testing results. > Otherwise I will open a topic on the forum if you prefer. > > After updating a testing firewall from C152 Stable to C153 Testing, a > significant increase in CPU load was observed as reported by others - > see the attached graphs. The htop also shows Suricata as the 3 top > processes No changes were made to the Suricata settings in the before > and after. > > This system is has enough processing power so it is not an issue, but it > could be a problem on low powered systems. > > Machine specs: > Dell PowerEdge R420 > Intel(R) Xeon(R) CPU E5-2430 > 24 GB RAM > > Best regards, > Fred > > -----Original Message----- > From: Matthias Fischer > Sent: Thursday, December 10, 2020 12:32 PM > To: Michael Tremer ; Stefan Schantl > > Cc: IPFire: Development-List > Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to > 5.0.4 > > On 10.12.2020 14:39, Michael Tremer wrote: >> Hey Matthias, > > Hi Michael, > >> I checked but I cannot confirm this on my machine. > > Hm... > >> I also asked the others on the telephone conference and nobody saw > anything suspicious either. >> >> What hardware are you using, and what rules are you using? > > Hardware is an old IPFire Duo Box ( ;-) ). > > Profile: > => > https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8 > > Today I - again - switched from 5.04 to 6.01 using Emerging Threats > Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See > attached screenshots. > > Then I deactivated a few rules (first wave at 17:35) - activating only > 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and > 'emering-trojan' active. No change. > > Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No > change. Hm. > > Any ideas? > > Best, > Matthias > >> Best, >> -Michael >> >>> On 6 Dec 2020, at 11:08, Matthias Fischer > wrote: >>> >>> Hi, >>> >>> I'd like to have a little problem... ;-) >>> >>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday >>> it was '6.0.1'. At that time I thought it might be a good idea to >>> test the current version. >>> >>> So I built and tested these two one after another under Core > 152/64bit. >>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated >>> and installed too, yesterday to 0.5.36. >>> >>> Both built without problems, both installed without problems, both >>> showed a strange behavior while running. >>> >>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c >>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from >>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. >>> And I mean it. Idle. Nothing was going on. >>> >>> Hardware: >>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803 >>> 0f43ce8 >>> >>> Can anyone confirm - or did I miss something? >>> >>> Best, >>> Matthias >> > > > --===============9050783670614837766==--