Hello *, some feedback came from the community (https://community.ipfire.org/t/core-153-testing/4005/), where CPU load seems to behave fine as well. Unless I overlooked something, this issue primarily seems to affect - virtualised systems and - machines running on a CPU with two cores or less. Thanks, and best regards, Peter Müller > Hello Michael, hello Matthias, hello *, > > just for the records: I cannot reproduce this issue on two machines > running Core Update 153 (testing) for a while now. > > Both have an Intel N3150 CPU and are running on x86_64 (no > virtualisation), one of those is almost permanently under a significant > network load. To be honest, it's CPU load actually _decreased_ a bit > after installing Core Update 153, but I cannot pinpoint the reason for > this at the moment. > > From my point of view, there is no need to downgrade to Suricata 5.x > again. In terms of security, I dislike that idea as well, however, this > seems to affect certain scenarios quite bad... > > Thanks, and best regards, > Peter Müller > > >> Hi, >> >>> On 12 Dec 2020, at 02:18, Kienker, Fred wrote: >>> >>> Matthas: >>> >>> I worked through some of the examples of the settings described in the >>> Suricata forum discussion. If my observations is correct, the issue >>> centers around the flow manager. A change to it has made a big >>> difference it the resource usage by this process. Its likely going to >>> come down to live with the load created the v6 version or revert to v5 >>> and wait for them to get to the bottom of this. No combination of >>> settings in the flow section of suricata.yaml ever seemed to reduce it >>> and instead increased it. >> >> Good research. >> >>> I don't use low power systems for IPFire and dont have access to one >>> but others with these systems may want to take a look at their >>> performance numbers and report back as to whether they can live with the >>> higher load. >> >> It is not directly low-power systems. >> >> I launched this on AWS today and the CPU load is immediately at 25%. >> It was mentioned on the linked thread that virtual systems are >> affected more. >> >> I would now rather lean towards reverting suricata 6 unless there is a >> hot fix available soon. >> >> Best, >> -Michael >> >>> >>> Best regards, >>> Fred >>> >>> Please note: Although we may sometimes respond to email, text and phone >>> calls instantly at all hours of the day, our regular business hours are >>> 9:00 AM - 6:00 PM ET, Monday thru Friday. >>> >>> -----Original Message----- >>> From: Matthias Fischer >>> Sent: Friday, December 11, 2020 6:34 PM >>> To: Kienker, Fred; michael.tremer ; >>> stefan.schantl >>> Cc: development >>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to >>> 5.0.4 >>> >>> Hi, >>> >>> looks as if there is something going on in the suricata forum regarding >>> cpu load: >>> >>> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706 >>> >>> I can't really interpret the numrous screenshots and ongoing >>> discussions, but could it be that this is related to what I'm >>> experiencing when upgrading from 5.0.x to 6.0.x? >>> >>> Best, >>> Matthias >>> >>> >>