Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core 152/64bit. I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
Hey Matthias,
I checked but I cannot confirm this on my machine.
I also asked the others on the telephone conference and nobody saw anything suspicious either.
What hardware are you using, and what rules are you using?
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core 152/64bit. I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
On 10.12.2020 14:39, Michael Tremer wrote:
Hey Matthias,
Hi Michael,
I checked but I cannot confirm this on my machine.
Hm...
I also asked the others on the telephone conference and nobody saw anything suspicious either.
What hardware are you using, and what rules are you using?
Hardware is an old IPFire Duo Box ( ;-) ).
Profile: => https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Today I - again - switched from 5.04 to 6.01 using Emerging Threats Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See attached screenshots.
Then I deactivated a few rules (first wave at 17:35) - activating only 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 'emering-trojan' active. No change.
Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No change. Hm.
Any ideas?
Best, Matthias
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core 152/64bit. I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
Hi,
On 10 Dec 2020, at 18:31, Matthias Fischer matthias.fischer@ipfire.org wrote:
On 10.12.2020 14:39, Michael Tremer wrote:
Hey Matthias,
Hi Michael,
I checked but I cannot confirm this on my machine.
Hm...
I also asked the others on the telephone conference and nobody saw anything suspicious either.
What hardware are you using, and what rules are you using?
Hardware is an old IPFire Duo Box ( ;-) ).
Profile: => https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Today I - again - switched from 5.04 to 6.01 using Emerging Threats Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See attached screenshots.
Okay, this looks bad.
Then I deactivated a few rules (first wave at 17:35) - activating only 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 'emering-trojan' active. No change.
Can you try to disable all rules and see if that makes a change?
It would also be helpful to see if the CPU resources are being wasted on kernel stuff (sys) or in the user land (user). According to the graph it is 50/50. Can you confirm that?
Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No change. Hm.
Any ideas?
Best, Matthias
-Michael
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core 152/64bit. I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
<htop.png><ids_with_vrt.png><load_per_day.png><load_per_hour.png>
Hi,
On 10.12.2020 20:36, Michael Tremer wrote:
... Can you try to disable all rules and see if that makes a change?
Done. No change, see below.
It would also be helpful to see if the CPU resources are being wasted on kernel stuff (sys) or in the user land (user). According to the graph it is 50/50. Can you confirm that?
Yes.
Without any rules 'user load' = 6.96%, 'system load' = 4.32%.
Load is ~ten times higher, temperatures rised too.
Best, Matthias
I am hoping this is the correct place to report C153 testing results. Otherwise I will open a topic on the forum if you prefer.
After updating a testing firewall from C152 Stable to C153 Testing, a significant increase in CPU load was observed as reported by others - see the attached graphs. The htop also shows Suricata as the 3 top processes No changes were made to the Suricata settings in the before and after.
This system is has enough processing power so it is not an issue, but it could be a problem on low powered systems.
Machine specs: Dell PowerEdge R420 Intel(R) Xeon(R) CPU E5-2430 24 GB RAM
Best regards, Fred
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Thursday, December 10, 2020 12:32 PM To: Michael Tremer michael.tremer@ipfire.org; Stefan Schantl stefan.schantl@ipfire.org Cc: IPFire: Development-List development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
On 10.12.2020 14:39, Michael Tremer wrote:
Hey Matthias,
Hi Michael,
I checked but I cannot confirm this on my machine.
Hm...
I also asked the others on the telephone conference and nobody saw
anything suspicious either.
What hardware are you using, and what rules are you using?
Hardware is an old IPFire Duo Box ( ;-) ).
Profile: => https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Today I - again - switched from 5.04 to 6.01 using Emerging Threats Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See attached screenshots.
Then I deactivated a few rules (first wave at 17:35) - activating only 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 'emering-trojan' active. No change.
Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No change. Hm.
Any ideas?
Best, Matthias
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer
matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core
152/64bit.
I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803 0f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
Hi,
confirmed.
As I use to say: "Welcome to the club"! ;-)
Running 'suricata 6.0.1 - but now I deactivated ALL rules.
But: no rules, no change, CPU load is still much to high. In idle mode! NO traffic.
@Fred: Graphs are almost identical to yours.
Who writes the bug report?
FYI: I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to see what will happen.
Best, Matthias
On 11.12.2020 16:20, Kienker, Fred wrote:
I am hoping this is the correct place to report C153 testing results. Otherwise I will open a topic on the forum if you prefer.
After updating a testing firewall from C152 Stable to C153 Testing, a significant increase in CPU load was observed as reported by others - see the attached graphs. The htop also shows Suricata as the 3 top processes No changes were made to the Suricata settings in the before and after.
This system is has enough processing power so it is not an issue, but it could be a problem on low powered systems.
Machine specs: Dell PowerEdge R420 Intel(R) Xeon(R) CPU E5-2430 24 GB RAM
Best regards, Fred
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Thursday, December 10, 2020 12:32 PM To: Michael Tremer michael.tremer@ipfire.org; Stefan Schantl stefan.schantl@ipfire.org Cc: IPFire: Development-List development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
On 10.12.2020 14:39, Michael Tremer wrote:
Hey Matthias,
Hi Michael,
I checked but I cannot confirm this on my machine.
Hm...
I also asked the others on the telephone conference and nobody saw
anything suspicious either.
What hardware are you using, and what rules are you using?
Hardware is an old IPFire Duo Box ( ;-) ).
Profile: => https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Today I - again - switched from 5.04 to 6.01 using Emerging Threats Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See attached screenshots.
Then I deactivated a few rules (first wave at 17:35) - activating only 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 'emering-trojan' active. No change.
Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No change. Hm.
Any ideas?
Best, Matthias
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer
matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core
152/64bit.
I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803 0f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
Hi,
I changed to 'suricata 5.0.5/64bit' on Core 152.
CPU load of '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0:1' immidiately went down to 0.1% - 2.0% in idle mode with *exactly* the same rules as before.
Under 6.0.0 or 6.0.1 load raises up to 12.6% / idle.
Deactivating ALL rules made no difference. Load stays high.
Best, Matthias
On 11.12.2020 17:00, Matthias Fischer wrote:
Hi,
confirmed.
As I use to say: "Welcome to the club"! ;-)
Running 'suricata 6.0.1 - but now I deactivated ALL rules.
But: no rules, no change, CPU load is still much to high. In idle mode! NO traffic.
@Fred: Graphs are almost identical to yours.
Who writes the bug report?
FYI: I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to see what will happen.
Best, Matthias
On 11.12.2020 16:20, Kienker, Fred wrote:
I am hoping this is the correct place to report C153 testing results. Otherwise I will open a topic on the forum if you prefer.
After updating a testing firewall from C152 Stable to C153 Testing, a significant increase in CPU load was observed as reported by others - see the attached graphs. The htop also shows Suricata as the 3 top processes No changes were made to the Suricata settings in the before and after.
This system is has enough processing power so it is not an issue, but it could be a problem on low powered systems.
Machine specs: Dell PowerEdge R420 Intel(R) Xeon(R) CPU E5-2430 24 GB RAM
Best regards, Fred
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Thursday, December 10, 2020 12:32 PM To: Michael Tremer michael.tremer@ipfire.org; Stefan Schantl stefan.schantl@ipfire.org Cc: IPFire: Development-List development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
On 10.12.2020 14:39, Michael Tremer wrote:
Hey Matthias,
Hi Michael,
I checked but I cannot confirm this on my machine.
Hm...
I also asked the others on the telephone conference and nobody saw
anything suspicious either.
What hardware are you using, and what rules are you using?
Hardware is an old IPFire Duo Box ( ;-) ).
Profile: => https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Today I - again - switched from 5.04 to 6.01 using Emerging Threats Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See attached screenshots.
Then I deactivated a few rules (first wave at 17:35) - activating only 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and 'emering-trojan' active. No change.
Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No change. Hm.
Any ideas?
Best, Matthias
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer
matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core
152/64bit.
I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803 0f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
Hi,
looks as if there is something going on in the suricata forum regarding cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing discussions, but could it be that this is related to what I'm experiencing when upgrading from 5.0.x to 6.0.x?
Best, Matthias
Matthas:
I worked through some of the examples of the settings described in the Suricata forum discussion. If my observations is correct, the issue centers around the flow manager. A change to it has made a big difference it the resource usage by this process. Its likely going to come down to live with the load created the v6 version or revert to v5 and wait for them to get to the bottom of this. No combination of settings in the flow section of suricata.yaml ever seemed to reduce it and instead increased it.
I don't use low power systems for IPFire and dont have access to one but others with these systems may want to take a look at their performance numbers and report back as to whether they can live with the higher load.
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Friday, December 11, 2020 6:34 PM To: Kienker, Fred; michael.tremer michael.tremer@ipfire.org; stefan.schantl stefan.schantl@ipfire.org Cc: development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
looks as if there is something going on in the suricata forum regarding cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing discussions, but could it be that this is related to what I'm experiencing when upgrading from 5.0.x to 6.0.x?
Best, Matthias
Hi,
On 12 Dec 2020, at 02:18, Kienker, Fred fkienker@at4b.com wrote:
Matthas:
I worked through some of the examples of the settings described in the Suricata forum discussion. If my observations is correct, the issue centers around the flow manager. A change to it has made a big difference it the resource usage by this process. Its likely going to come down to live with the load created the v6 version or revert to v5 and wait for them to get to the bottom of this. No combination of settings in the flow section of suricata.yaml ever seemed to reduce it and instead increased it.
Good research.
I don't use low power systems for IPFire and dont have access to one but others with these systems may want to take a look at their performance numbers and report back as to whether they can live with the higher load.
It is not directly low-power systems.
I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
Best, -Michael
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Friday, December 11, 2020 6:34 PM To: Kienker, Fred; michael.tremer michael.tremer@ipfire.org; stefan.schantl stefan.schantl@ipfire.org Cc: development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
looks as if there is something going on in the suricata forum regarding cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing discussions, but could it be that this is related to what I'm experiencing when upgrading from 5.0.x to 6.0.x?
Best, Matthias
Hello Michael, hello Matthias, hello *,
just for the records: I cannot reproduce this issue on two machines running Core Update 153 (testing) for a while now.
Both have an Intel N3150 CPU and are running on x86_64 (no virtualisation), one of those is almost permanently under a significant network load. To be honest, it's CPU load actually _decreased_ a bit after installing Core Update 153, but I cannot pinpoint the reason for this at the moment.
From my point of view, there is no need to downgrade to Suricata 5.x again. In terms of security, I dislike that idea as well, however, this seems to affect certain scenarios quite bad...
Thanks, and best regards, Peter Müller
Hi,
On 12 Dec 2020, at 02:18, Kienker, Fred fkienker@at4b.com wrote:
Matthas:
I worked through some of the examples of the settings described in the Suricata forum discussion. If my observations is correct, the issue centers around the flow manager. A change to it has made a big difference it the resource usage by this process. Its likely going to come down to live with the load created the v6 version or revert to v5 and wait for them to get to the bottom of this. No combination of settings in the flow section of suricata.yaml ever seemed to reduce it and instead increased it.
Good research.
I don't use low power systems for IPFire and dont have access to one but others with these systems may want to take a look at their performance numbers and report back as to whether they can live with the higher load.
It is not directly low-power systems.
I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
Best, -Michael
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Friday, December 11, 2020 6:34 PM To: Kienker, Fred; michael.tremer michael.tremer@ipfire.org; stefan.schantl stefan.schantl@ipfire.org Cc: development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
looks as if there is something going on in the suricata forum regarding cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing discussions, but could it be that this is related to what I'm experiencing when upgrading from 5.0.x to 6.0.x?
Best, Matthias
Hallo All,
I have been testing Core Update 153 on my VirtualBox VM test bed system.
With Core 152 with no IPS the CPU is running around 0.7%. With IPS turned on it runs around 1.5%.
With Core 153 with no IPS the CPU is running around 0.7% again. With IPS turned on it runs around 10.5%.
The system info is:- IPFire version IPFire 2.25 (x86_64) - core153 Development Build: master/eaa90321 Pakfire version 2.25.1-x86_64 Kernel version Linux ipfire 4.14.211-ipfire #1 SMP Tue Dec 8 23:54:50 GMT 2020 x86_64 Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz GenuineIntel GNU/Linux
Regards, Adolf Belka
On 14/12/2020 16:58, Peter Müller wrote:
Hello Michael, hello Matthias, hello *,
just for the records: I cannot reproduce this issue on two machines running Core Update 153 (testing) for a while now.
Both have an Intel N3150 CPU and are running on x86_64 (no virtualisation), one of those is almost permanently under a significant network load. To be honest, it's CPU load actually _decreased_ a bit after installing Core Update 153, but I cannot pinpoint the reason for this at the moment.
From my point of view, there is no need to downgrade to Suricata 5.x again. In terms of security, I dislike that idea as well, however, this seems to affect certain scenarios quite bad...
Thanks, and best regards, Peter Müller
Hi,
On 12 Dec 2020, at 02:18, Kienker, Fred fkienker@at4b.com wrote:
Matthas:
I worked through some of the examples of the settings described in the Suricata forum discussion. If my observations is correct, the issue centers around the flow manager. A change to it has made a big difference it the resource usage by this process. Its likely going to come down to live with the load created the v6 version or revert to v5 and wait for them to get to the bottom of this. No combination of settings in the flow section of suricata.yaml ever seemed to reduce it and instead increased it.
Good research.
I don't use low power systems for IPFire and dont have access to one but others with these systems may want to take a look at their performance numbers and report back as to whether they can live with the higher load.
It is not directly low-power systems.
I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
Best, -Michael
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Friday, December 11, 2020 6:34 PM To: Kienker, Fred; michael.tremer michael.tremer@ipfire.org; stefan.schantl stefan.schantl@ipfire.org Cc: development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
looks as if there is something going on in the suricata forum regarding cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing discussions, but could it be that this is related to what I'm experiencing when upgrading from 5.0.x to 6.0.x?
Best, Matthias
Hello *,
some feedback came from the community (https://community.ipfire.org/t/core-153-testing/4005/), where CPU load seems to behave fine as well.
Unless I overlooked something, this issue primarily seems to affect - virtualised systems and - machines running on a CPU with two cores or less.
Thanks, and best regards, Peter Müller
Hello Michael, hello Matthias, hello *,
just for the records: I cannot reproduce this issue on two machines running Core Update 153 (testing) for a while now.
Both have an Intel N3150 CPU and are running on x86_64 (no virtualisation), one of those is almost permanently under a significant network load. To be honest, it's CPU load actually _decreased_ a bit after installing Core Update 153, but I cannot pinpoint the reason for this at the moment.
From my point of view, there is no need to downgrade to Suricata 5.x again. In terms of security, I dislike that idea as well, however, this seems to affect certain scenarios quite bad...
Thanks, and best regards, Peter Müller
Hi,
On 12 Dec 2020, at 02:18, Kienker, Fred fkienker@at4b.com wrote:
Matthas:
I worked through some of the examples of the settings described in the Suricata forum discussion. If my observations is correct, the issue centers around the flow manager. A change to it has made a big difference it the resource usage by this process. Its likely going to come down to live with the load created the v6 version or revert to v5 and wait for them to get to the bottom of this. No combination of settings in the flow section of suricata.yaml ever seemed to reduce it and instead increased it.
Good research.
I don't use low power systems for IPFire and dont have access to one but others with these systems may want to take a look at their performance numbers and report back as to whether they can live with the higher load.
It is not directly low-power systems.
I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
Best, -Michael
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Friday, December 11, 2020 6:34 PM To: Kienker, Fred; michael.tremer michael.tremer@ipfire.org; stefan.schantl stefan.schantl@ipfire.org Cc: development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
looks as if there is something going on in the suricata forum regarding cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing discussions, but could it be that this is related to what I'm experiencing when upgrading from 5.0.x to 6.0.x?
Best, Matthias
After several hours spent trying various Suricata configuration settings, these are my observations.
The big change in Suricata v6 is that it is more oriented toward multiprocessor systems than v5. The best performance I could get was by allocating a specific cpu to management-cpu-set, receive-cpu-set, and verdict-cpu-set with a range of worker-cpu-set. This:
threading: # set-cpu-affinity: no set-cpu-affinity: yes cpu-affinity: - management-cpu-set: # cpu: [ 0 ] # include only these cpus in affinity settings cpu: [ "3" ] # include only these cpus in affinity settings - receive-cpu-set: cpu: [ "4" ] # include only these cpus in affinity settings # mode: "balanced" - verdict-cpu-set: # cpu: [ 0 ] # include only these cpus in affinity settings cpu: [ "5" ] # include only these cpus in affinity settings prio: default: "high" - worker-cpu-set: # cpu: [ "all" ] cpu: [ "6-11" ] mode: "exclusive" # prio: # low: [ 0 ] # medium: [ "1-2" ] # high: [ 3 ] default: "medium"
Adding set-cpu-affinity:yes and putting the management-cpu-set on it *own* cpu made the single biggest difference in reducing CPU load. Just adding just these two changes might make v6 performance acceptable. This assumes the target system has at least two cores, though 4 would be much better.
For those of us with the luxury of numerous cores and lots of CPU cache memory, this set up results in dramatically better performance over stock IPFire. Suricata literature points out it is designed to perform the best in this setting.
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Michael Tremer michael.tremer@ipfire.org Sent: Monday, December 14, 2020 9:26 AM To: Kienker, Fred Cc: matthias.fischer matthias.fischer@ipfire.org; Stefan Schantl stefan.schantl@ipfire.org; development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
On 12 Dec 2020, at 02:18, Kienker, Fred fkienker@at4b.com wrote:
Matthas:
I worked through some of the examples of the settings described in the
Suricata forum discussion. If my observations is correct, the issue centers around the flow manager. A change to it has made a big difference it the resource usage by this process. Its likely going to come down to live with the load created the v6 version or revert to v5
and wait for them to get to the bottom of this. No combination of settings in the flow section of suricata.yaml ever seemed to reduce it
and instead increased it.
Good research.
I don't use low power systems for IPFire and dont have access to one but others with these systems may want to take a look at their performance numbers and report back as to whether they can live with the higher load.
It is not directly low-power systems.
I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
Best, -Michael
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Friday, December 11, 2020 6:34 PM To: Kienker, Fred; michael.tremer michael.tremer@ipfire.org; stefan.schantl stefan.schantl@ipfire.org Cc: development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
looks as if there is something going on in the suricata forum regarding cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing discussions, but could it be that this is related to what I'm experiencing when upgrading from 5.0.x to 6.0.x?
Best, Matthias
I have submitted a bug report.
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Friday, December 11, 2020 11:01 AM To: Kienker, Fred; michael.tremer michael.tremer@ipfire.org; stefan.schantl stefan.schantl@ipfire.org Cc: development development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
Hi,
confirmed.
As I use to say: "Welcome to the club"! ;-)
Running 'suricata 6.0.1 - but now I deactivated ALL rules.
But: no rules, no change, CPU load is still much to high. In idle mode! NO traffic.
@Fred: Graphs are almost identical to yours.
Who writes the bug report?
FYI: I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to see what will happen.
Best, Matthias
On 11.12.2020 16:20, Kienker, Fred wrote:
I am hoping this is the correct place to report C153 testing results. Otherwise I will open a topic on the forum if you prefer.
After updating a testing firewall from C152 Stable to C153 Testing, a significant increase in CPU load was observed as reported by others - see the attached graphs. The htop also shows Suricata as the 3 top processes No changes were made to the Suricata settings in the before and after.
This system is has enough processing power so it is not an issue, but it could be a problem on low powered systems.
Machine specs: Dell PowerEdge R420 Intel(R) Xeon(R) CPU E5-2430 24 GB RAM
Best regards, Fred
-----Original Message----- From: Matthias Fischer matthias.fischer@ipfire.org Sent: Thursday, December 10, 2020 12:32 PM To: Michael Tremer michael.tremer@ipfire.org; Stefan Schantl stefan.schantl@ipfire.org Cc: IPFire: Development-List development@lists.ipfire.org Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
On 10.12.2020 14:39, Michael Tremer wrote:
Hey Matthias,
Hi Michael,
I checked but I cannot confirm this on my machine.
Hm...
I also asked the others on the telephone conference and nobody saw
anything suspicious either.
What hardware are you using, and what rules are you using?
Hardware is an old IPFire Duo Box ( ;-) ).
Profile: => https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030 f43ce8
Today I - again - switched from 5.04 to 6.01 using Emerging Threats Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See attached screenshots.
Then I deactivated a few rules (first wave at 17:35) - activating only
'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and
'emering-trojan' active. No change.
Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No change. Hm.
Any ideas?
Best, Matthias
Best, -Michael
On 6 Dec 2020, at 11:08, Matthias Fischer
matthias.fischer@ipfire.org wrote:
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it was '6.0.1'. At that time I thought it might be a good idea to test the current version.
So I built and tested these two one after another under Core
152/64bit.
I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'. And I mean it. Idle. Nothing was going on.
Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c80 3 0f43ce8
Can anyone confirm - or did I miss something?
Best, Matthias
Correction!
Sorry, typo.
Its 'suricata 6.0.1' of course!
Best, Matthias
-
Adolf Belka -
Kienker, Fred -
Matthias Fischer -
Michael Tremer -
Peter Müller