Hi,
On 10 Dec 2020, at 18:31, Matthias Fischer matthias.fischer@ipfire.org wrote:
On 10.12.2020 14:39, Michael Tremer wrote:
Hey Matthias,
Hi Michael,
I checked but I cannot confirm this on my machine.
Hm...
I also asked the others on the telephone conference and nobody saw anything suspicious either.
What hardware are you using, and what rules are you using?
Hardware is an old IPFire Duo Box ( ;-) ).
Profile: => https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Today I - again - switched from 5.04 to 6.01 using Emerging Threats Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See attached screenshots.
Okay, this looks bad.
Then I deactivated a few rules (first wave at 17:35) - activating only 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 'emering-trojan' active. No change.
Can you try to disable all rules and see if that makes a change?
It would also be helpful to see if the CPU resources are being wasted on kernel stuff (sys) or in the user land (user). According to the graph it is 50/50. Can you confirm that?
Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No change. Hm.
Any ideas?
Best, Matthias
-Michael
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core 152/64bit. I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
<htop.png><ids_with_vrt.png><load_per_day.png><load_per_hour.png>