* suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
@ 2020-12-06 10:08 Matthias Fischer
2020-12-10 13:39 ` Michael Tremer
0 siblings, 1 reply; 15+ messages in thread
From: Matthias Fischer @ 2020-12-06 10:08 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 877 bytes --]
Hi,
I'd like to have a little problem... ;-)
The other day I saw 'suricata 6.0.0' had its coming out - yesterday it
was '6.0.1'. At that time I thought it might be a good idea to test the
current version.
So I built and tested these two one after another under Core 152/64bit.
I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and
installed too, yesterday to 0.5.36.
Both built without problems, both installed without problems, both
showed a strange behavior while running.
Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c
/etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
And I mean it. Idle. Nothing was going on.
Hardware:
https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
Can anyone confirm - or did I miss something?
Best,
Matthias
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-06 10:08 suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4 Matthias Fischer
@ 2020-12-10 13:39 ` Michael Tremer
2020-12-10 17:46 ` Matthias Fischer
0 siblings, 1 reply; 15+ messages in thread
From: Michael Tremer @ 2020-12-10 13:39 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1298 bytes --]
Hey Matthias,
I checked but I cannot confirm this on my machine.
I also asked the others on the telephone conference and nobody saw anything suspicious either.
What hardware are you using, and what rules are you using?
Best,
-Michael
> On 6 Dec 2020, at 11:08, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>
> Hi,
>
> I'd like to have a little problem... ;-)
>
> The other day I saw 'suricata 6.0.0' had its coming out - yesterday it
> was '6.0.1'. At that time I thought it might be a good idea to test the
> current version.
>
> So I built and tested these two one after another under Core 152/64bit.
> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and
> installed too, yesterday to 0.5.36.
>
> Both built without problems, both installed without problems, both
> showed a strange behavior while running.
>
> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c
> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
> And I mean it. Idle. Nothing was going on.
>
> Hardware:
> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
>
> Can anyone confirm - or did I miss something?
>
> Best,
> Matthias
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-10 13:39 ` Michael Tremer
@ 2020-12-10 17:46 ` Matthias Fischer
0 siblings, 0 replies; 15+ messages in thread
From: Matthias Fischer @ 2020-12-10 17:46 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 76 bytes --]
Correction!
Sorry, typo.
Its 'suricata 6.0.1' of course!
Best,
Matthias
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-14 15:58 ` Peter Müller
2020-12-14 18:22 ` Adolf Belka
@ 2020-12-14 20:34 ` Peter Müller
1 sibling, 0 replies; 15+ messages in thread
From: Peter Müller @ 2020-12-14 20:34 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3340 bytes --]
Hello *,
some feedback came from the community
(https://community.ipfire.org/t/core-153-testing/4005/), where CPU load
seems to behave fine as well.
Unless I overlooked something, this issue primarily seems to affect
- virtualised systems and
- machines running on a CPU with two cores or less.
Thanks, and best regards,
Peter Müller
> Hello Michael, hello Matthias, hello *,
>
> just for the records: I cannot reproduce this issue on two machines
> running Core Update 153 (testing) for a while now.
>
> Both have an Intel N3150 CPU and are running on x86_64 (no
> virtualisation), one of those is almost permanently under a significant
> network load. To be honest, it's CPU load actually _decreased_ a bit
> after installing Core Update 153, but I cannot pinpoint the reason for
> this at the moment.
>
> From my point of view, there is no need to downgrade to Suricata 5.x
> again. In terms of security, I dislike that idea as well, however, this
> seems to affect certain scenarios quite bad...
>
> Thanks, and best regards,
> Peter Müller
>
>
>> Hi,
>>
>>> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
>>>
>>> Matthas:
>>>
>>> I worked through some of the examples of the settings described in the
>>> Suricata forum discussion. If my observations is correct, the issue
>>> centers around the flow manager. A change to it has made a big
>>> difference it the resource usage by this process. Its likely going to
>>> come down to live with the load created the v6 version or revert to v5
>>> and wait for them to get to the bottom of this. No combination of
>>> settings in the flow section of suricata.yaml ever seemed to reduce it
>>> and instead increased it.
>>
>> Good research.
>>
>>> I don't use low power systems for IPFire and dont have access to one
>>> but others with these systems may want to take a look at their
>>> performance numbers and report back as to whether they can live with the
>>> higher load.
>>
>> It is not directly low-power systems.
>>
>> I launched this on AWS today and the CPU load is immediately at 25%.
>> It was mentioned on the linked thread that virtual systems are
>> affected more.
>>
>> I would now rather lean towards reverting suricata 6 unless there is a
>> hot fix available soon.
>>
>> Best,
>> -Michael
>>
>>>
>>> Best regards,
>>> Fred
>>>
>>> Please note: Although we may sometimes respond to email, text and phone
>>> calls instantly at all hours of the day, our regular business hours are
>>> 9:00 AM - 6:00 PM ET, Monday thru Friday.
>>>
>>> -----Original Message-----
>>> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> Sent: Friday, December 11, 2020 6:34 PM
>>> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
>>> stefan.schantl <stefan.schantl(a)ipfire.org>
>>> Cc: development <development(a)lists.ipfire.org>
>>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
>>> 5.0.4
>>>
>>> Hi,
>>>
>>> looks as if there is something going on in the suricata forum regarding
>>> cpu load:
>>>
>>> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
>>>
>>> I can't really interpret the numrous screenshots and ongoing
>>> discussions, but could it be that this is related to what I'm
>>> experiencing when upgrading from 5.0.x to 6.0.x?
>>>
>>> Best,
>>> Matthias
>>>
>>>
>>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-14 15:58 ` Peter Müller
@ 2020-12-14 18:22 ` Adolf Belka
2020-12-14 20:34 ` Peter Müller
1 sibling, 0 replies; 15+ messages in thread
From: Adolf Belka @ 2020-12-14 18:22 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3700 bytes --]
Hallo All,
I have been testing Core Update 153 on my VirtualBox VM test bed system.
With Core 152 with no IPS the CPU is running around 0.7%. With IPS turned on it runs around 1.5%.
With Core 153 with no IPS the CPU is running around 0.7% again. With IPS turned on it runs around 10.5%.
The system info is:-
IPFire version IPFire 2.25 (x86_64) - core153 Development Build: master/eaa90321
Pakfire version 2.25.1-x86_64
Kernel version Linux ipfire 4.14.211-ipfire #1 SMP Tue Dec 8 23:54:50 GMT 2020 x86_64 Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz GenuineIntel GNU/Linux
Regards,
Adolf Belka
On 14/12/2020 16:58, Peter Müller wrote:
> Hello Michael, hello Matthias, hello *,
>
> just for the records: I cannot reproduce this issue on two machines running Core Update 153 (testing) for a while now.
>
> Both have an Intel N3150 CPU and are running on x86_64 (no virtualisation), one of those is almost permanently under a significant network load. To be honest, it's CPU load actually _decreased_ a bit after installing Core Update 153, but I cannot pinpoint the reason for this at the moment.
>
> From my point of view, there is no need to downgrade to Suricata 5.x again. In terms of security, I dislike that idea as well, however, this seems to affect certain scenarios quite bad...
>
> Thanks, and best regards,
> Peter Müller
>
>
>> Hi,
>>
>>> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
>>>
>>> Matthas:
>>>
>>> I worked through some of the examples of the settings described in the
>>> Suricata forum discussion. If my observations is correct, the issue
>>> centers around the flow manager. A change to it has made a big
>>> difference it the resource usage by this process. Its likely going to
>>> come down to live with the load created the v6 version or revert to v5
>>> and wait for them to get to the bottom of this. No combination of
>>> settings in the flow section of suricata.yaml ever seemed to reduce it
>>> and instead increased it.
>>
>> Good research.
>>
>>> I don't use low power systems for IPFire and dont have access to one
>>> but others with these systems may want to take a look at their
>>> performance numbers and report back as to whether they can live with the
>>> higher load.
>>
>> It is not directly low-power systems.
>>
>> I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
>>
>> I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
>>
>> Best,
>> -Michael
>>
>>>
>>> Best regards,
>>> Fred
>>>
>>> Please note: Although we may sometimes respond to email, text and phone
>>> calls instantly at all hours of the day, our regular business hours are
>>> 9:00 AM - 6:00 PM ET, Monday thru Friday.
>>>
>>> -----Original Message-----
>>> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> Sent: Friday, December 11, 2020 6:34 PM
>>> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
>>> stefan.schantl <stefan.schantl(a)ipfire.org>
>>> Cc: development <development(a)lists.ipfire.org>
>>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
>>> 5.0.4
>>>
>>> Hi,
>>>
>>> looks as if there is something going on in the suricata forum regarding
>>> cpu load:
>>>
>>> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
>>>
>>> I can't really interpret the numrous screenshots and ongoing
>>> discussions, but could it be that this is related to what I'm
>>> experiencing when upgrading from 5.0.x to 6.0.x?
>>>
>>> Best,
>>> Matthias
>>>
>>>
>>
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-14 14:26 ` Michael Tremer
2020-12-14 15:58 ` Peter Müller
@ 2020-12-14 16:07 ` Kienker, Fred
1 sibling, 0 replies; 15+ messages in thread
From: Kienker, Fred @ 2020-12-14 16:07 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4407 bytes --]
After several hours spent trying various Suricata configuration
settings, these are my observations.
The big change in Suricata v6 is that it is more oriented toward
multiprocessor systems than v5. The best performance I could get was by
allocating a specific cpu to management-cpu-set, receive-cpu-set, and
verdict-cpu-set with a range of worker-cpu-set. This:
threading:
# set-cpu-affinity: no
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
# cpu: [ 0 ] # include only these cpus in affinity settings
cpu: [ "3" ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ "4" ] # include only these cpus in affinity settings
# mode: "balanced"
- verdict-cpu-set:
# cpu: [ 0 ] # include only these cpus in affinity settings
cpu: [ "5" ] # include only these cpus in affinity settings
prio:
default: "high"
- worker-cpu-set:
# cpu: [ "all" ]
cpu: [ "6-11" ]
mode: "exclusive"
# prio:
# low: [ 0 ]
# medium: [ "1-2" ]
# high: [ 3 ]
default: "medium"
Adding set-cpu-affinity:yes and putting the management-cpu-set on it
*own* cpu made the single biggest difference in reducing CPU load. Just
adding just these two changes might make v6 performance acceptable. This
assumes the target system has at least two cores, though 4 would be much
better.
For those of us with the luxury of numerous cores and lots of CPU cache
memory, this set up results in dramatically better performance over
stock IPFire. Suricata literature points out it is designed to perform
the best in this setting.
Best regards,
Fred
Please note: Although we may sometimes respond to email, text and phone
calls instantly at all hours of the day, our regular business hours are
9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message-----
From: Michael Tremer <michael.tremer(a)ipfire.org>
Sent: Monday, December 14, 2020 9:26 AM
To: Kienker, Fred
Cc: matthias.fischer <matthias.fischer(a)ipfire.org>; Stefan Schantl
<stefan.schantl(a)ipfire.org>; development <development(a)lists.ipfire.org>
Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
5.0.4
Hi,
> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
>
> Matthas:
>
> I worked through some of the examples of the settings described in the
> Suricata forum discussion. If my observations is correct, the issue
> centers around the flow manager. A change to it has made a big
> difference it the resource usage by this process. Its likely going to
> come down to live with the load created the v6 version or revert to v5
> and wait for them to get to the bottom of this. No combination of
> settings in the flow section of suricata.yaml ever seemed to reduce it
> and instead increased it.
Good research.
> I don't use low power systems for IPFire and dont have access to one
> but others with these systems may want to take a look at their
> performance numbers and report back as to whether they can live with
> the higher load.
It is not directly low-power systems.
I launched this on AWS today and the CPU load is immediately at 25%. It
was mentioned on the linked thread that virtual systems are affected
more.
I would now rather lean towards reverting suricata 6 unless there is a
hot fix available soon.
Best,
-Michael
>
> Best regards,
> Fred
>
> Please note: Although we may sometimes respond to email, text and
> phone calls instantly at all hours of the day, our regular business
> hours are
> 9:00 AM - 6:00 PM ET, Monday thru Friday.
>
> -----Original Message-----
> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
> Sent: Friday, December 11, 2020 6:34 PM
> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
> stefan.schantl <stefan.schantl(a)ipfire.org>
> Cc: development <development(a)lists.ipfire.org>
> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared
> to
> 5.0.4
>
> Hi,
>
> looks as if there is something going on in the suricata forum
> regarding cpu load:
>
> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
>
> I can't really interpret the numrous screenshots and ongoing
> discussions, but could it be that this is related to what I'm
> experiencing when upgrading from 5.0.x to 6.0.x?
>
> Best,
> Matthias
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-14 14:26 ` Michael Tremer
@ 2020-12-14 15:58 ` Peter Müller
2020-12-14 18:22 ` Adolf Belka
2020-12-14 20:34 ` Peter Müller
2020-12-14 16:07 ` Kienker, Fred
1 sibling, 2 replies; 15+ messages in thread
From: Peter Müller @ 2020-12-14 15:58 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2976 bytes --]
Hello Michael, hello Matthias, hello *,
just for the records: I cannot reproduce this issue on two machines
running Core Update 153 (testing) for a while now.
Both have an Intel N3150 CPU and are running on x86_64 (no
virtualisation), one of those is almost permanently under a significant
network load. To be honest, it's CPU load actually _decreased_ a bit
after installing Core Update 153, but I cannot pinpoint the reason for
this at the moment.
From my point of view, there is no need to downgrade to Suricata 5.x
again. In terms of security, I dislike that idea as well, however, this
seems to affect certain scenarios quite bad...
Thanks, and best regards,
Peter Müller
> Hi,
>
>> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
>>
>> Matthas:
>>
>> I worked through some of the examples of the settings described in the
>> Suricata forum discussion. If my observations is correct, the issue
>> centers around the flow manager. A change to it has made a big
>> difference it the resource usage by this process. Its likely going to
>> come down to live with the load created the v6 version or revert to v5
>> and wait for them to get to the bottom of this. No combination of
>> settings in the flow section of suricata.yaml ever seemed to reduce it
>> and instead increased it.
>
> Good research.
>
>> I don't use low power systems for IPFire and dont have access to one
>> but others with these systems may want to take a look at their
>> performance numbers and report back as to whether they can live with the
>> higher load.
>
> It is not directly low-power systems.
>
> I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
>
> I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
>
> Best,
> -Michael
>
>>
>> Best regards,
>> Fred
>>
>> Please note: Although we may sometimes respond to email, text and phone
>> calls instantly at all hours of the day, our regular business hours are
>> 9:00 AM - 6:00 PM ET, Monday thru Friday.
>>
>> -----Original Message-----
>> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> Sent: Friday, December 11, 2020 6:34 PM
>> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
>> stefan.schantl <stefan.schantl(a)ipfire.org>
>> Cc: development <development(a)lists.ipfire.org>
>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
>> 5.0.4
>>
>> Hi,
>>
>> looks as if there is something going on in the suricata forum regarding
>> cpu load:
>>
>> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
>>
>> I can't really interpret the numrous screenshots and ongoing
>> discussions, but could it be that this is related to what I'm
>> experiencing when upgrading from 5.0.x to 6.0.x?
>>
>> Best,
>> Matthias
>>
>>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-12 1:18 ` Kienker, Fred
@ 2020-12-14 14:26 ` Michael Tremer
2020-12-14 15:58 ` Peter Müller
2020-12-14 16:07 ` Kienker, Fred
0 siblings, 2 replies; 15+ messages in thread
From: Michael Tremer @ 2020-12-14 14:26 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2216 bytes --]
Hi,
> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
>
> Matthas:
>
> I worked through some of the examples of the settings described in the
> Suricata forum discussion. If my observations is correct, the issue
> centers around the flow manager. A change to it has made a big
> difference it the resource usage by this process. Its likely going to
> come down to live with the load created the v6 version or revert to v5
> and wait for them to get to the bottom of this. No combination of
> settings in the flow section of suricata.yaml ever seemed to reduce it
> and instead increased it.
Good research.
> I don't use low power systems for IPFire and dont have access to one
> but others with these systems may want to take a look at their
> performance numbers and report back as to whether they can live with the
> higher load.
It is not directly low-power systems.
I launched this on AWS today and the CPU load is immediately at 25%. It was mentioned on the linked thread that virtual systems are affected more.
I would now rather lean towards reverting suricata 6 unless there is a hot fix available soon.
Best,
-Michael
>
> Best regards,
> Fred
>
> Please note: Although we may sometimes respond to email, text and phone
> calls instantly at all hours of the day, our regular business hours are
> 9:00 AM - 6:00 PM ET, Monday thru Friday.
>
> -----Original Message-----
> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
> Sent: Friday, December 11, 2020 6:34 PM
> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
> stefan.schantl <stefan.schantl(a)ipfire.org>
> Cc: development <development(a)lists.ipfire.org>
> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
> 5.0.4
>
> Hi,
>
> looks as if there is something going on in the suricata forum regarding
> cpu load:
>
> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
>
> I can't really interpret the numrous screenshots and ongoing
> discussions, but could it be that this is related to what I'm
> experiencing when upgrading from 5.0.x to 6.0.x?
>
> Best,
> Matthias
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-11 23:33 ` Matthias Fischer
@ 2020-12-12 1:18 ` Kienker, Fred
2020-12-14 14:26 ` Michael Tremer
0 siblings, 1 reply; 15+ messages in thread
From: Kienker, Fred @ 2020-12-12 1:18 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1664 bytes --]
Matthas:
I worked through some of the examples of the settings described in the
Suricata forum discussion. If my observations is correct, the issue
centers around the flow manager. A change to it has made a big
difference it the resource usage by this process. Its likely going to
come down to live with the load created the v6 version or revert to v5
and wait for them to get to the bottom of this. No combination of
settings in the flow section of suricata.yaml ever seemed to reduce it
and instead increased it.
I don't use low power systems for IPFire and dont have access to one
but others with these systems may want to take a look at their
performance numbers and report back as to whether they can live with the
higher load.
Best regards,
Fred
Please note: Although we may sometimes respond to email, text and phone
calls instantly at all hours of the day, our regular business hours are
9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message-----
From: Matthias Fischer <matthias.fischer(a)ipfire.org>
Sent: Friday, December 11, 2020 6:34 PM
To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
stefan.schantl <stefan.schantl(a)ipfire.org>
Cc: development <development(a)lists.ipfire.org>
Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
5.0.4
Hi,
looks as if there is something going on in the suricata forum regarding
cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing
discussions, but could it be that this is related to what I'm
experiencing when upgrading from 5.0.x to 6.0.x?
Best,
Matthias
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-11 16:00 ` Matthias Fischer
2020-12-11 19:07 ` Matthias Fischer
@ 2020-12-12 0:52 ` Kienker, Fred
1 sibling, 0 replies; 15+ messages in thread
From: Kienker, Fred @ 2020-12-12 0:52 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4215 bytes --]
I have submitted a bug report.
Best regards,
Fred
Please note: Although we may sometimes respond to email, text and phone
calls instantly at all hours of the day, our regular business hours are
9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message-----
From: Matthias Fischer <matthias.fischer(a)ipfire.org>
Sent: Friday, December 11, 2020 11:01 AM
To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
stefan.schantl <stefan.schantl(a)ipfire.org>
Cc: development <development(a)lists.ipfire.org>
Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
5.0.4
Hi,
confirmed.
As I use to say: "Welcome to the club"! ;-)
Running 'suricata 6.0.1 - but now I deactivated ALL rules.
But: no rules, no change, CPU load is still much to high. In idle mode!
NO traffic.
@Fred:
Graphs are almost identical to yours.
Who writes the bug report?
FYI:
I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to
see what will happen.
Best,
Matthias
On 11.12.2020 16:20, Kienker, Fred wrote:
> I am hoping this is the correct place to report C153 testing results.
> Otherwise I will open a topic on the forum if you prefer.
>
> After updating a testing firewall from C152 Stable to C153 Testing, a
> significant increase in CPU load was observed as reported by others -
> see the attached graphs. The htop also shows Suricata as the 3 top
> processes No changes were made to the Suricata settings in the before
> and after.
>
> This system is has enough processing power so it is not an issue, but
> it could be a problem on low powered systems.
>
> Machine specs:
> Dell PowerEdge R420
> Intel(R) Xeon(R) CPU E5-2430
> 24 GB RAM
>
> Best regards,
> Fred
>
> -----Original Message-----
> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
> Sent: Thursday, December 10, 2020 12:32 PM
> To: Michael Tremer <michael.tremer(a)ipfire.org>; Stefan Schantl
> <stefan.schantl(a)ipfire.org>
> Cc: IPFire: Development-List <development(a)lists.ipfire.org>
> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared
> to
> 5.0.4
>
> On 10.12.2020 14:39, Michael Tremer wrote:
>> Hey Matthias,
>
> Hi Michael,
>
>> I checked but I cannot confirm this on my machine.
>
> Hm...
>
>> I also asked the others on the telephone conference and nobody saw
> anything suspicious either.
>>
>> What hardware are you using, and what rules are you using?
>
> Hardware is an old IPFire Duo Box ( ;-) ).
>
> Profile:
> =>
> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030
> f43ce8
>
> Today I - again - switched from 5.04 to 6.01 using Emerging Threats
> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop).
> See attached screenshots.
>
> Then I deactivated a few rules (first wave at 17:35) - activating only
> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and
> 'emering-trojan' active. No change.
>
> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered).
> No change. Hm.
>
> Any ideas?
>
> Best,
> Matthias
>
>> Best,
>> -Michael
>>
>>> On 6 Dec 2020, at 11:08, Matthias Fischer
> <matthias.fischer(a)ipfire.org> wrote:
>>>
>>> Hi,
>>>
>>> I'd like to have a little problem... ;-)
>>>
>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday
>>> it was '6.0.1'. At that time I thought it might be a good idea to
>>> test the current version.
>>>
>>> So I built and tested these two one after another under Core
> 152/64bit.
>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated
>>> and installed too, yesterday to 0.5.36.
>>>
>>> Both built without problems, both installed without problems, both
>>> showed a strange behavior while running.
>>>
>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c
>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
>>> And I mean it. Idle. Nothing was going on.
>>>
>>> Hardware:
>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c80
>>> 3
>>> 0f43ce8
>>>
>>> Can anyone confirm - or did I miss something?
>>>
>>> Best,
>>> Matthias
>>
>
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-11 19:07 ` Matthias Fischer
@ 2020-12-11 23:33 ` Matthias Fischer
2020-12-12 1:18 ` Kienker, Fred
0 siblings, 1 reply; 15+ messages in thread
From: Matthias Fischer @ 2020-12-11 23:33 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 339 bytes --]
Hi,
looks as if there is something going on in the suricata forum regarding
cpu load:
=> https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
I can't really interpret the numrous screenshots and ongoing
discussions, but could it be that this is related to what I'm
experiencing when upgrading from 5.0.x to 6.0.x?
Best,
Matthias
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-11 16:00 ` Matthias Fischer
@ 2020-12-11 19:07 ` Matthias Fischer
2020-12-11 23:33 ` Matthias Fischer
2020-12-12 0:52 ` Kienker, Fred
1 sibling, 1 reply; 15+ messages in thread
From: Matthias Fischer @ 2020-12-11 19:07 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4293 bytes --]
Hi,
I changed to 'suricata 5.0.5/64bit' on Core 152.
CPU load of '/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0:1'
immidiately went down to 0.1% - 2.0% in idle mode with *exactly* the
same rules as before.
Under 6.0.0 or 6.0.1 load raises up to 12.6% / idle.
Deactivating ALL rules made no difference. Load stays high.
Best,
Matthias
On 11.12.2020 17:00, Matthias Fischer wrote:
> Hi,
>
> confirmed.
>
> As I use to say: "Welcome to the club"! ;-)
>
> Running 'suricata 6.0.1 - but now I deactivated ALL rules.
>
> But: no rules, no change, CPU load is still much to high. In idle mode!
> NO traffic.
>
> @Fred:
> Graphs are almost identical to yours.
>
> Who writes the bug report?
>
> FYI:
> I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to
> see what will happen.
>
> Best,
> Matthias
>
> On 11.12.2020 16:20, Kienker, Fred wrote:
>> I am hoping this is the correct place to report C153 testing results.
>> Otherwise I will open a topic on the forum if you prefer.
>>
>> After updating a testing firewall from C152 Stable to C153 Testing, a
>> significant increase in CPU load was observed as reported by others -
>> see the attached graphs. The htop also shows Suricata as the 3 top
>> processes No changes were made to the Suricata settings in the before
>> and after.
>>
>> This system is has enough processing power so it is not an issue, but it
>> could be a problem on low powered systems.
>>
>> Machine specs:
>> Dell PowerEdge R420
>> Intel(R) Xeon(R) CPU E5-2430
>> 24 GB RAM
>>
>> Best regards,
>> Fred
>>
>> -----Original Message-----
>> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> Sent: Thursday, December 10, 2020 12:32 PM
>> To: Michael Tremer <michael.tremer(a)ipfire.org>; Stefan Schantl
>> <stefan.schantl(a)ipfire.org>
>> Cc: IPFire: Development-List <development(a)lists.ipfire.org>
>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
>> 5.0.4
>>
>> On 10.12.2020 14:39, Michael Tremer wrote:
>>> Hey Matthias,
>>
>> Hi Michael,
>>
>>> I checked but I cannot confirm this on my machine.
>>
>> Hm...
>>
>>> I also asked the others on the telephone conference and nobody saw
>> anything suspicious either.
>>>
>>> What hardware are you using, and what rules are you using?
>>
>> Hardware is an old IPFire Duo Box ( ;-) ).
>>
>> Profile:
>> =>
>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
>>
>> Today I - again - switched from 5.04 to 6.01 using Emerging Threats
>> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See
>> attached screenshots.
>>
>> Then I deactivated a few rules (first wave at 17:35) - activating only
>> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and
>> 'emering-trojan' active. No change.
>>
>> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No
>> change. Hm.
>>
>> Any ideas?
>>
>> Best,
>> Matthias
>>
>>> Best,
>>> -Michael
>>>
>>>> On 6 Dec 2020, at 11:08, Matthias Fischer
>> <matthias.fischer(a)ipfire.org> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'd like to have a little problem... ;-)
>>>>
>>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday
>>>> it was '6.0.1'. At that time I thought it might be a good idea to
>>>> test the current version.
>>>>
>>>> So I built and tested these two one after another under Core
>> 152/64bit.
>>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated
>>>> and installed too, yesterday to 0.5.36.
>>>>
>>>> Both built without problems, both installed without problems, both
>>>> showed a strange behavior while running.
>>>>
>>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c
>>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
>>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
>>>> And I mean it. Idle. Nothing was going on.
>>>>
>>>> Hardware:
>>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803
>>>> 0f43ce8
>>>>
>>>> Can anyone confirm - or did I miss something?
>>>>
>>>> Best,
>>>> Matthias
>>>
>>
>>
>>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
2020-12-10 19:36 ` Michael Tremer
@ 2020-12-11 16:03 ` Matthias Fischer
0 siblings, 0 replies; 15+ messages in thread
From: Matthias Fischer @ 2020-12-11 16:03 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 486 bytes --]
Hi,
On 10.12.2020 20:36, Michael Tremer wrote:
> ...
> Can you try to disable all rules and see if that makes a change?
Done. No change, see below.
> It would also be helpful to see if the CPU resources are being wasted on kernel stuff (sys) or in the user land (user). According to the graph it is 50/50. Can you confirm that?
Yes.
Without any rules 'user load' = 6.96%, 'system load' = 4.32%.
Load is ~ten times higher, temperatures rised too.
Best,
Matthias
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
[not found] <H000007e004e35e1.1607700049.mail.at4b.com@MHS>
@ 2020-12-11 16:00 ` Matthias Fischer
2020-12-11 19:07 ` Matthias Fischer
2020-12-12 0:52 ` Kienker, Fred
0 siblings, 2 replies; 15+ messages in thread
From: Matthias Fischer @ 2020-12-11 16:00 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3596 bytes --]
Hi,
confirmed.
As I use to say: "Welcome to the club"! ;-)
Running 'suricata 6.0.1 - but now I deactivated ALL rules.
But: no rules, no change, CPU load is still much to high. In idle mode!
NO traffic.
@Fred:
Graphs are almost identical to yours.
Who writes the bug report?
FYI:
I'm just preparing the other 64bit Devel with 'suricata 5.0.5', just to
see what will happen.
Best,
Matthias
On 11.12.2020 16:20, Kienker, Fred wrote:
> I am hoping this is the correct place to report C153 testing results.
> Otherwise I will open a topic on the forum if you prefer.
>
> After updating a testing firewall from C152 Stable to C153 Testing, a
> significant increase in CPU load was observed as reported by others -
> see the attached graphs. The htop also shows Suricata as the 3 top
> processes No changes were made to the Suricata settings in the before
> and after.
>
> This system is has enough processing power so it is not an issue, but it
> could be a problem on low powered systems.
>
> Machine specs:
> Dell PowerEdge R420
> Intel(R) Xeon(R) CPU E5-2430
> 24 GB RAM
>
> Best regards,
> Fred
>
> -----Original Message-----
> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
> Sent: Thursday, December 10, 2020 12:32 PM
> To: Michael Tremer <michael.tremer(a)ipfire.org>; Stefan Schantl
> <stefan.schantl(a)ipfire.org>
> Cc: IPFire: Development-List <development(a)lists.ipfire.org>
> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
> 5.0.4
>
> On 10.12.2020 14:39, Michael Tremer wrote:
>> Hey Matthias,
>
> Hi Michael,
>
>> I checked but I cannot confirm this on my machine.
>
> Hm...
>
>> I also asked the others on the telephone conference and nobody saw
> anything suspicious either.
>>
>> What hardware are you using, and what rules are you using?
>
> Hardware is an old IPFire Duo Box ( ;-) ).
>
> Profile:
> =>
> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
>
> Today I - again - switched from 5.04 to 6.01 using Emerging Threats
> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See
> attached screenshots.
>
> Then I deactivated a few rules (first wave at 17:35) - activating only
> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and
> 'emering-trojan' active. No change.
>
> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No
> change. Hm.
>
> Any ideas?
>
> Best,
> Matthias
>
>> Best,
>> -Michael
>>
>>> On 6 Dec 2020, at 11:08, Matthias Fischer
> <matthias.fischer(a)ipfire.org> wrote:
>>>
>>> Hi,
>>>
>>> I'd like to have a little problem... ;-)
>>>
>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday
>>> it was '6.0.1'. At that time I thought it might be a good idea to
>>> test the current version.
>>>
>>> So I built and tested these two one after another under Core
> 152/64bit.
>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated
>>> and installed too, yesterday to 0.5.36.
>>>
>>> Both built without problems, both installed without problems, both
>>> showed a strange behavior while running.
>>>
>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c
>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
>>> And I mean it. Idle. Nothing was going on.
>>>
>>> Hardware:
>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c803
>>> 0f43ce8
>>>
>>> Can anyone confirm - or did I miss something?
>>>
>>> Best,
>>> Matthias
>>
>
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4
[not found] <276ec94c-01ff-9bce-16ce-234a2336c4c7@ipfire.org>
@ 2020-12-10 19:36 ` Michael Tremer
2020-12-11 16:03 ` Matthias Fischer
0 siblings, 1 reply; 15+ messages in thread
From: Michael Tremer @ 2020-12-10 19:36 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2578 bytes --]
Hi,
> On 10 Dec 2020, at 18:31, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>
> On 10.12.2020 14:39, Michael Tremer wrote:
>> Hey Matthias,
>
> Hi Michael,
>
>> I checked but I cannot confirm this on my machine.
>
> Hm...
>
>> I also asked the others on the telephone conference and nobody saw anything suspicious either.
>>
>> What hardware are you using, and what rules are you using?
>
> Hardware is an old IPFire Duo Box ( ;-) ).
>
> Profile:
> =>
> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
>
> Today I - again - switched from 5.04 to 6.01 using Emerging Threats
> Rules. Cpu load immidiately raised from 0.5-2% to ~10-12.5% (htop). See
> attached screenshots.
Okay, this looks bad.
> Then I deactivated a few rules (first wave at 17:35) - activating only
> 'botcc, 'drop', 'dshield', 'ermerging-exploit', 'emerging-malware' and
> 'emering-trojan' active. No change.
Can you try to disable all rules and see if that makes a change?
It would also be helpful to see if the CPU resources are being wasted on kernel stuff (sys) or in the user land (user). According to the graph it is 50/50. Can you confirm that?
> Right now I'm on 'suricata 6.0.4' with 'Talos VRT rules (registered). No
> change. Hm.
>
> Any ideas?
>
> Best,
> Matthias
-Michael
>
>> Best,
>> -Michael
>>
>>> On 6 Dec 2020, at 11:08, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>
>>> Hi,
>>>
>>> I'd like to have a little problem... ;-)
>>>
>>> The other day I saw 'suricata 6.0.0' had its coming out - yesterday it
>>> was '6.0.1'. At that time I thought it might be a good idea to test the
>>> current version.
>>>
>>> So I built and tested these two one after another under Core 152/64bit.
>>> I tested 6.0.0 some days ago, 6.0.1 yesterday. 'libhtp' was updated and
>>> installed too, yesterday to 0.5.36.
>>>
>>> Both built without problems, both installed without problems, both
>>> showed a strange behavior while running.
>>>
>>> Under *each* 6.0.X-version, the cpu load for '/usr/bin/suricata -c
>>> /etc/suricata/suricata.yaml -D -y 0:1' increased in *idle* mode from
>>> ~0.5%-2.0% to ~12% compared to 'suricata 5.0.4'.
>>> And I mean it. Idle. Nothing was going on.
>>>
>>> Hardware:
>>> https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8
>>>
>>> Can anyone confirm - or did I miss something?
>>>
>>> Best,
>>> Matthias
>>
>
> <htop.png><ids_with_vrt.png><load_per_day.png><load_per_hour.png>
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2020-12-14 20:34 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-06 10:08 suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4 Matthias Fischer
2020-12-10 13:39 ` Michael Tremer
2020-12-10 17:46 ` Matthias Fischer
[not found] <276ec94c-01ff-9bce-16ce-234a2336c4c7@ipfire.org>
2020-12-10 19:36 ` Michael Tremer
2020-12-11 16:03 ` Matthias Fischer
[not found] <H000007e004e35e1.1607700049.mail.at4b.com@MHS>
2020-12-11 16:00 ` Matthias Fischer
2020-12-11 19:07 ` Matthias Fischer
2020-12-11 23:33 ` Matthias Fischer
2020-12-12 1:18 ` Kienker, Fred
2020-12-14 14:26 ` Michael Tremer
2020-12-14 15:58 ` Peter Müller
2020-12-14 18:22 ` Adolf Belka
2020-12-14 20:34 ` Peter Müller
2020-12-14 16:07 ` Kienker, Fred
2020-12-12 0:52 ` Kienker, Fred
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox