<div dir="ltr"><div>Dear rmkml,<br><br></div><div>I did it. On firt run, it stucked on startup at full CPU usage, as Suricata always does when it starts. But it never came back, looped 100% CPU usage forever.<br><br></div>
<div>I killed it 4 minutes later. Restarted and now it is running fine, almost 2h without any issue. Seems more stable, besides that strange first startup.<br><br></div><div>I will keep monitoring its behavior, thanks for suggesting the obvious. I relied on FreeBSD ports and was sure I was running latest, seems I am so wrong ;-)<br>
</div><div><br></div>Meanwhile, what causes this warning?<br><div><br>21/8/2013 -- 19:04:16 - <Warning> - [ERRCODE: SC_WARN_OUTDATED_LIBHTP(202)] - libhtp < 0.2.7 detected. Keyword http_raw_header will not be able to inspect response headers.<br>
<br></div><div>According to the message it seems that my libhtp is old, minor than 0.2.7. However it's 3.0:<br><br># ldd /usr/local/bin/suricata<br>/usr/local/bin/suricata:<br> libmagic.so.4 => /usr/lib/libmagic.so.4 (0x80093c000)<br>
libhtp-0.3.so.1 => /usr/local/lib/libhtp-0.3.so.1 (0x800a55000)<br> libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x800b6e000)<br> libz.so.5 => /lib/libz.so.5 (0x800d68000)<br> libpcap.so.7 => /lib/libpcap.so.7 (0x800e7d000)<br>
libnet.so.8 => /usr/local/lib/libnet11/libnet.so.8 (0x800fae000)<br> libthr.so.3 => /lib/libthr.so.3 (0x8010c6000)<br> libyaml-0.so.2 => /usr/local/lib/libyaml-0.so.2 (0x8011df000)<br> libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x8012fe000)<br>
libc.so.7 => /lib/libc.so.7 (0x801458000)<br># pkg_info -x libhtp<br>Information for libhtp-0.3.0_2:<br><br>Comment:<br>Security-aware parser for the HTTP protocol<br><br></div><div>Should I care about this warning?<br>
</div><div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 21, 2013 at 6:18 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Eduardo,<br>
Could you try with latest v1.4.5 if you have same pb please ?<br>
Regards<span class=""><font color="#888888"><br>
@Rmkml</font></span><div class=""><div class="h5"><br>
<br>
<br>
On Wed, 21 Aug 2013, Eduardo Meyer wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Dear all,<br>
<br>
I have a similar behavior here with Suricata 1.3.4 to that one reported previously on suricata 2.0. But here, I am running FreeBSD.<br>
<br>
The behavior is: Suricata runs just fine for a couple minutes. Some times a couple hours. Suddenly it freezes, but does not crash. It goes to 100% CPU usage without a reson, with no relevant logs.<br>
<br>
System info:<br>
<br>
# uname -sr<br>
FreeBSD 8.3-STABLE<br>
# suricata -V<br>
This is Suricata version 1.3.4 RELEASE<br>
<br>
Here is the output from "top -PH" when Suricata freezes:<br>
<br>
last pid: 58672; load averages: 2.20, 2.14, 1.70 <u></u> up 56+21:32:10 16:42:22<br>
43 processes: 3 running, 40 sleeping<br>
CPU 0: 85.8% user, 0.0% nice, 0.7% system, 0.0% interrupt, 13.5% idle<br>
CPU 1: 13.9% user, 0.0% nice, 10.5% system, 0.0% interrupt, 75.6% idle<br>
CPU 2: 18.0% user, 0.0% nice, 8.6% system, 0.0% interrupt, 73.3% idle<br>
CPU 3: 80.5% user, 0.0% nice, 1.9% system, 0.0% interrupt, 17.6% idle<br>
Mem: 654M Active, 492M Inact, 917M Wired, 908K Cache, 827M Buf, 5820M Free<br>
Swap: 4096M Total, 5644K Used, 4090M Free<br>
<br>
PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND<br>
58385 root 119 0 814M 667M CPU3 3 18:48 100.00% suricata{FlowManagerThre}<br>
58385 root 119 0 814M 667M CPU0 0 17:40 100.00% suricata{RxPcapem31}<br>
95227 root 44 0 27264K 5864K select 3 126:48 0.39% snmpd<br>
2852 nagios 44 0 6888K 1024K select 1 4:02 0.00% nrpe2<br>
41132 root 44 0 23984K 1924K nanslp 1 3:23 0.00% snortsam{snortsam}<br>
58385 root 44 0 814M 667M ucond 2 0:50 0.00% suricata{Detect1}<br>
58385 root 44 0 814M 667M ucond 2 0:43 0.00% suricata{Detect2}<br>
58385 root 44 0 814M 667M ucond 2 0:33 0.00% suricata{Detect3}<br>
58385 root 44 0 814M 667M ucond 1 0:27 0.00% suricata{Detect4}<br>
58385 root 44 0 814M 667M ucond 2 0:23 0.00% suricata{Detect5}<br>
2087 root 44 0 6924K 956K select 1 0:15 0.00% syslogd<br>
58385 root 44 0 814M 667M ucond 2 0:13 0.00% suricata{Detect6}<br>
2490 root 44 0 7980K 1008K nanslp 1 0:11 0.00% cron<br>
58385 root 44 0 814M 667M nanslp 2 0:11 0.00% suricata{suricata}<br>
57994 root 44 0 24096K 9604K nanslp 2 0:02 0.00% barnyard2<br>
2481 root 44 0 26180K 1216K select 2 0:01 0.00% sshd<br>
58553 root 44 0 9376K 2164K CPU1 2 0:00 0.00% top<br>
2311 root 48 0 5832K 972K select 3 0:00 0.00% rsync<br>
58367 root 44 0 5828K 900K kqread 3 0:00 0.00% tail<br>
58346 freebsdbrasil 44 0 38116K 4312K select 1 0:00 0.00% sshd<br>
58385 root 44 0 814M 667M ucond 1 0:00 0.00% suricata{SCPerfWakeupThr}<br>
<br>
Both FlowManagerThred and RxPcapem31 goes to 100% CPU and the DetectX threads that were running just fine, becomes dead with 0% CPU usage.<br>
<br>
It wont fix untill Suricata is killed -9 and later restarted.<br>
<br>
It started happening a couple days ago, without and relevant change on the system or suricata itself. Only Barnyard's block-sid.map is frequently updated.<br>
<br>
How can some of you help me? Any suggestions on the possible causes for this behavior?<br>
<br>
Thank you in advance!!<br>
<br>
--<br>
===========<br>
Eduardo Meyer<br>
pessoal: <a href="mailto:dudu.meyer@gmail.com" target="_blank">dudu.meyer@gmail.com</a><br>
profissional: <a href="mailto:ddm.farmaciap@saude.gov.br" target="_blank">ddm.farmaciap@saude.gov.br</a><br>
<br>
</blockquote>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>===========<br>Eduardo Meyer<br>pessoal: <a href="mailto:dudu.meyer@gmail.com">dudu.meyer@gmail.com</a><br>profissional: <a href="mailto:ddm.farmaciap@saude.gov.br">ddm.farmaciap@saude.gov.br</a><br>
</div></div></div></div></div>