From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4 Date: Fri, 11 Dec 2020 20:07:43 +0100 Message-ID: In-Reply-To: <69b700f2-fb04-4ad0-e673-f9c70fb9976c@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7671483001562629774==" List-Id: --===============7671483001562629774== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I changed to 'suricata 5.0.5/64bit' on Core 152. CPU load of '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0:1' immidiately went down to 0.1% - 2.0% in idle mode with *exactly* the same rules as before. Under 6.0.0 or 6.0.1 load raises up to 12.6% / idle. Deactivating ALL rules made no difference. Load stays high. Best, Matthias On 11.12.2020 17:00, Matthias Fischer wrote: > Hi, >=20 > confirmed. >=20 > As I use to say: "Welcome to the club"! ;-) >=20 > Running 'suricata 6.0.1 - but now I deactivated ALL rules. >=20 > But: no rules, no change, CPU load is still much to high. In idle mode! > NO traffic. >=20 > @Fred: > Graphs are almost identical to yours. >=20 > Who writes the bug report? >=20 > FYI: > I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to > see what will happen. >=20 > Best, > Matthias >=20 > On 11.12.2020 16:20, Kienker, Fred wrote: >> I am hoping this is the correct place to report C153 testing results.=20 >> Otherwise I will open a topic on the forum if you prefer. >>=20 >> After updating a testing firewall from C152 Stable to C153 Testing, a=20 >> significant increase in CPU load was observed as reported by others -=20 >> see the attached graphs. The htop also shows Suricata as the 3 top=20 >> processes No changes were made to the Suricata settings in the before=20 >> and after. >>=20 >> This system is has enough processing power so it is not an issue, but it=20 >> could be a problem on low powered systems. >>=20 >> Machine specs: >> Dell PowerEdge R420 >> Intel(R) Xeon(R) CPU E5-2430 >> 24 GB RAM=09 >>=20 >> Best regards,=20 >> Fred >>=20 >> -----Original Message----- >> From: Matthias Fischer =20 >> Sent: Thursday, December 10, 2020 12:32 PM >> To: Michael Tremer ; Stefan Schantl=20 >> >> Cc: IPFire: Development-List >> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to=20 >> 5.0.4 >>=20 >> On 10.12.2020 14:39, Michael Tremer wrote: >>> Hey Matthias, >>=20 >> Hi Michael, >>=20 >>> I checked but I cannot confirm this on my machine. >>=20 >> Hm... >>=20 >>> I also asked the others on the telephone conference and nobody saw=20 >> anything suspicious either. >>>=20 >>> What hardware are you using, and what rules are you using? >>=20 >> Hardware is an old IPFire Duo Box ( ;-) ). >>=20 >> Profile: >> =3D> >> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43c= e8 >>=20 >> Today I - again - switched from 5.04 to 6.01 using Emerging Threats=20 >> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See=20 >> attached screenshots. >>=20 >> Then I deactivated a few rules (first wave at 17:35) - activating only=20 >> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and=20 >> 'emering-trojan' active. No change. >>=20 >> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No=20 >> change. Hm. >>=20 >> Any ideas? >>=20 >> Best, >> Matthias >>=20 >>> Best, >>> -Michael >>>=20 >>>> On 6 Dec 2020, at 11:08, Matthias Fischer=20 >> wrote: >>>>=20 >>>> Hi, >>>>=20 >>>> I'd like to have a little problem... ;-) >>>>=20 >>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday=20 >>>> it was '6.0.1'. At that time I thought it might be a good idea to=20 >>>> test the current version. >>>>=20 >>>> So I built and tested these two one after another under Core=20 >> 152/64bit. >>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated=20 >>>> and installed too, yesterday to 0.5.36. >>>>=20 >>>> Both built without problems, both installed without problems, both=20 >>>> showed a strange behavior while running. >>>>=20 >>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c=20 >>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from=20 >>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. >>>> And I mean it. Idle. Nothing was going on. >>>>=20 >>>> Hardware: >>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803 >>>> 0f43ce8 >>>>=20 >>>> Can anyone confirm - or did I miss something? >>>>=20 >>>> Best, >>>> Matthias >>>=20 >>=20 >>=20 >>=20 >=20 --===============7671483001562629774==--