Hi, I changed to 'suricata 5.0.5/64bit' on Core 152. CPU load of '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0:1' immidiately went down to 0.1% - 2.0% in idle mode with *exactly* the same rules as before. Under 6.0.0 or 6.0.1 load raises up to 12.6% / idle. Deactivating ALL rules made no difference. Load stays high. Best, Matthias On 11.12.2020 17:00, Matthias Fischer wrote: > Hi, > > confirmed. > > As I use to say: "Welcome to the club"! ;-) > > Running 'suricata 6.0.1 - but now I deactivated ALL rules. > > But: no rules, no change, CPU load is still much to high. In idle mode! > NO traffic. > > @Fred: > Graphs are almost identical to yours. > > Who writes the bug report? > > FYI: > I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to > see what will happen. > > Best, > Matthias > > On 11.12.2020 16:20, Kienker, Fred wrote: >> I am hoping this is the correct place to report C153 testing results. >> Otherwise I will open a topic on the forum if you prefer. >> >> After updating a testing firewall from C152 Stable to C153 Testing, a >> significant increase in CPU load was observed as reported by others - >> see the attached graphs. The htop also shows Suricata as the 3 top >> processes No changes were made to the Suricata settings in the before >> and after. >> >> This system is has enough processing power so it is not an issue, but it >> could be a problem on low powered systems. >> >> Machine specs: >> Dell PowerEdge R420 >> Intel(R) Xeon(R) CPU E5-2430 >> 24 GB RAM >> >> Best regards, >> Fred >> >> -----Original Message----- >> From: Matthias Fischer >> Sent: Thursday, December 10, 2020 12:32 PM >> To: Michael Tremer ; Stefan Schantl >> >> Cc: IPFire: Development-List >> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to >> 5.0.4 >> >> On 10.12.2020 14:39, Michael Tremer wrote: >>> Hey Matthias, >> >> Hi Michael, >> >>> I checked but I cannot confirm this on my machine. >> >> Hm... >> >>> I also asked the others on the telephone conference and nobody saw >> anything suspicious either. >>> >>> What hardware are you using, and what rules are you using? >> >> Hardware is an old IPFire Duo Box ( ;-) ). >> >> Profile: >> => >> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8 >> >> Today I - again - switched from 5.04 to 6.01 using Emerging Threats >> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See >> attached screenshots. >> >> Then I deactivated a few rules (first wave at 17:35) - activating only >> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and >> 'emering-trojan' active. No change. >> >> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No >> change. Hm. >> >> Any ideas? >> >> Best, >> Matthias >> >>> Best, >>> -Michael >>> >>>> On 6 Dec 2020, at 11:08, Matthias Fischer >> wrote: >>>> >>>> Hi, >>>> >>>> I'd like to have a little problem... ;-) >>>> >>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday >>>> it was '6.0.1'. At that time I thought it might be a good idea to >>>> test the current version. >>>> >>>> So I built and tested these two one after another under Core >> 152/64bit. >>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated >>>> and installed too, yesterday to 0.5.36. >>>> >>>> Both built without problems, both installed without problems, both >>>> showed a strange behavior while running. >>>> >>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c >>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from >>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. >>>> And I mean it. Idle. Nothing was going on. >>>> >>>> Hardware: >>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803 >>>> 0f43ce8 >>>> >>>> Can anyone confirm - or did I miss something? >>>> >>>> Best, >>>> Matthias >>> >> >> >> >