Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 4293 bytes --]

Hi,

I changed to 'suricata 5.0.5/64bit' on Core 152.

CPU load of '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0:1'
immidiately went down to 0.1% - 2.0% in idle mode with *exactly* the
same rules as before.

Under 6.0.0 or 6.0.1 load raises up to 12.6% / idle.

Deactivating ALL rules made no difference. Load stays high.

Best,
Matthias

On 11.12.2020 17:00, Matthias Fischer wrote:
> Hi,
> 
> confirmed.
> 
> As I use to say: "Welcome to the club"! ;-)
> 
> Running 'suricata 6.0.1 - but now I deactivated ALL rules.
> 
> But: no rules, no change, CPU load is still much to high. In idle mode!
> NO traffic.
> 
> @Fred:
> Graphs are almost identical to yours.
> 
> Who writes the bug report?
> 
> FYI:
> I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to
> see what will happen.
> 
> Best,
> Matthias
> 
> On 11.12.2020 16:20, Kienker, Fred wrote:
>> I am hoping this is the correct place to report C153 testing results. 
>> Otherwise I will open a topic on the forum if you prefer.
>> 
>> After updating a testing firewall from C152 Stable to C153 Testing, a 
>> significant increase in CPU load was observed as reported by others - 
>> see the attached graphs. The htop also shows Suricata as the 3 top 
>> processes No changes were made to the Suricata settings in the before 
>> and after.
>> 
>> This system is has enough processing power so it is not an issue, but it 
>> could be a problem on low powered systems.
>> 
>> Machine specs:
>>   Dell PowerEdge R420
>>   Intel(R) Xeon(R) CPU E5-2430
>>   24 GB RAM	
>> 
>> Best regards, 
>> Fred
>> 
>> -----Original Message-----
>> From: Matthias Fischer <matthias.fischer(a)ipfire.org> 
>> Sent: Thursday, December 10, 2020 12:32 PM
>> To: Michael Tremer <michael.tremer(a)ipfire.org>; Stefan Schantl 
>> <stefan.schantl(a)ipfire.org>
>> Cc: IPFire: Development-List <development(a)lists.ipfire.org>
>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 
>> 5.0.4
>> 
>> On 10.12.2020 14:39, Michael Tremer wrote:
>>> Hey Matthias,
>> 
>> Hi Michael,
>> 
>>> I checked but I cannot confirm this on my machine.
>> 
>> Hm...
>> 
>>> I also asked the others on the telephone conference and nobody saw 
>> anything suspicious either.
>>> 
>>> What hardware are you using, and what rules are you using?
>> 
>> Hardware is an old IPFire Duo Box ( ;-) ).
>> 
>> Profile:
>> =>
>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
>> 
>> Today I - again - switched from 5.04 to 6.01 using Emerging Threats 
>> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See 
>> attached screenshots.
>> 
>> Then I deactivated a few rules (first wave at 17:35) - activating only 
>> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 
>> 'emering-trojan' active. No change.
>> 
>> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No 
>> change. Hm.
>> 
>> Any ideas?
>> 
>> Best,
>> Matthias
>> 
>>> Best,
>>> -Michael
>>> 
>>>> On 6 Dec 2020, at 11:08, Matthias Fischer 
>> <matthias.fischer(a)ipfire.org> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I'd like to have a little problem... ;-)
>>>> 
>>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday 
>>>> it was '6.0.1'. At that time I thought it might be a good idea to 
>>>> test the current version.
>>>> 
>>>> So I built and tested these two one after another under Core 
>> 152/64bit.
>>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated 
>>>> and installed too, yesterday to 0.5.36.
>>>> 
>>>> Both built without problems, both installed without problems, both 
>>>> showed a strange behavior while running.
>>>> 
>>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c 
>>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from 
>>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
>>>> And I mean it. Idle. Nothing was going on.
>>>> 
>>>> Hardware:
>>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803
>>>> 0f43ce8
>>>> 
>>>> Can anyone confirm - or did I miss something?
>>>> 
>>>> Best,
>>>> Matthias
>>> 
>> 
>> 
>> 
>