<div dir="ltr"><div>[root@sniffer bin]# ./suricata -c suricata.yaml -i eth1 -vv</div><div>19/11/2015 -- 10:50:10 - <Notice> - This is Suricata version 2.0.9 RELEASE</div><div>19/11/2015 -- 10:50:10 - <Info> - CPUs/cores online: 8</div><div>19/11/2015 -- 10:50:10 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.</div><div>19/11/2015 -- 10:50:10 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.</div><div>19/11/2015 -- 10:50:10 - <Info> - DNS request flood protection level: 500</div><div>19/11/2015 -- 10:50:10 - <Info> - DNS per flow memcap (state-memcap): 524288</div><div>19/11/2015 -- 10:50:10 - <Info> - DNS global memcap: 16777216</div><div>19/11/2015 -- 10:50:10 - <Info> - Found an MTU of 1500 for 'eth1'</div><div>19/11/2015 -- 10:50:10 - <Info> - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32</div><div>19/11/2015 -- 10:50:10 - <Info> - preallocated 65535 defrag trackers of size 116</div><div>19/11/2015 -- 10:50:10 - <Info> - defrag memory usage: 9699212 bytes, maximum: 33554432</div><div>19/11/2015 -- 10:50:10 - <Info> - AutoFP mode using default "Active Packets" flow load balancer</div><div>19/11/2015 -- 10:50:10 - <Info> - preallocated 1024 packets. Total memory 2789376</div><div>19/11/2015 -- 10:50:10 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64</div><div>19/11/2015 -- 10:50:10 - <Info> - preallocated 1000 hosts of size 72</div><div>19/11/2015 -- 10:50:10 - <Info> - host memory usage: 342144 bytes, maximum: 16777216</div><div>19/11/2015 -- 10:50:10 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64</div><div>19/11/2015 -- 10:50:10 - <Info> - preallocated 10000 flows of size 188</div><div>19/11/2015 -- 10:50:10 - <Info> - flow memory usage: 6114304 bytes, maximum: 67108864</div><div>19/11/2015 -- 10:50:10 - <Info> - stream "prealloc-sessions": 2048 (per thread)</div><div>19/11/2015 -- 10:50:10 - <Info> - stream "memcap": 33554432</div><div>19/11/2015 -- 10:50:10 - <Info> - stream "midstream" session pickups: disabled</div><div>19/11/2015 -- 10:50:10 - <Info> - stream "async-oneside": disabled</div><div>19/11/2015 -- 10:50:10 - <Info> - stream "checksum-validation": enabled</div><div>19/11/2015 -- 10:50:10 - <Info> - stream."inline": disabled</div><div>19/11/2015 -- 10:50:10 - <Info> - stream "max-synack-queued": 5</div><div>19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "memcap": 134217728</div><div>19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "depth": 1048576</div><div>19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "toserver-chunk-size": 2518</div><div>19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "toclient-chunk-size": 2584</div><div>19/11/2015 -- 10:50:10 - <Info> - stream.reassembly.raw: enabled</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 4, prealloc 256</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 16, prealloc 512</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 112, prealloc 512</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 248, prealloc 512</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 512, prealloc 512</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 768, prealloc 1024</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 1448, prealloc 1024</div><div>19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 65535, prealloc 128</div><div>19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "chunk-prealloc": 250</div><div>19/11/2015 -- 10:50:10 - <Info> - IP reputation disabled</div><div>19/11/2015 -- 10:50:10 - <Info> - using magic-file /usr/share/file/magic</div><div>19/11/2015 -- 10:50:10 - <Info> - Delayed detect disabled</div><div>19/11/2015 -- 10:50:10 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed</div><div>19/11/2015 -- 10:50:10 - <Info> - 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only</div><div>19/11/2015 -- 10:50:10 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete</div><div>19/11/2015 -- 10:50:10 - <Info> - building signature grouping structure, stage 2: building source address list... complete</div><div>19/11/2015 -- 10:50:10 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete</div><div>19/11/2015 -- 10:50:10 - <Info> - Threshold config parsed: 0 rule(s) found</div><div>19/11/2015 -- 10:50:10 - <Info> - Core dump size set to unlimited.</div><div>19/11/2015 -- 10:50:10 - <Info> - fast output device (regular) initialized: fast.log</div><div>19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.</div><div>19/11/2015 -- 10:50:10 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB</div><div>19/11/2015 -- 10:50:10 - <Info> - http-log output device (regular) initialized: http.log</div><div>19/11/2015 -- 10:50:10 - <Info> - Using 1 live device(s).</div><div>19/11/2015 -- 10:50:10 - <Info> - using interface eth1</div><div>19/11/2015 -- 10:50:10 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.</div><div>19/11/2015 -- 10:50:10 - <Info> - Found an MTU of 1500 for 'eth1'</div><div>19/11/2015 -- 10:50:10 - <Info> - Set snaplen to 1516 for 'eth1'</div><div>19/11/2015 -- 10:50:10 - <Info> - Generic Receive Offload is set on eth1</div><div>19/11/2015 -- 10:50:10 - <Info> - Large Receive Offload is unset on eth1</div><div>19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.</div><div>19/11/2015 -- 10:50:10 - <Info> - RunModeIdsPcapAutoFp initialised</div><div>19/11/2015 -- 10:50:10 - <Notice> - all 13 packet processing threads, 3 management threads initialized, engine started.</div><div>19/11/2015 -- 10:50:10 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 19, 2015 at 10:10 AM, Andreas Herz <span dir="ltr"><<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Can you provide the verbose output from suricata?<br>
Just add -vv to your runcommand.<br>
<br>
Please keep the Mailinglist in CC :)<br>
<div class="HOEnZb"><div class="h5"><br>
On 19/11/15 at 10:03, Satish Patel wrote:<br>
> Thanks for reply, here is the answer of your question:<br>
><br>
> 1. Without traffic CPU usage is 1 to 2% so its very low..<br>
> 2. I have checked on TAP interface traffic and its around 150mbps traffic..<br>
> all UDP/RTP. ( do you think this traffic is hight?)<br>
> 4. OS type: CentOS 6 (32bit) Linux<br>
> 3. Following build-info output<br>
><br>
> [root@sniffer bin]# /usr/local/suricata/bin/suricata --build-info<br>
> This is Suricata version 2.0.9 RELEASE<br>
> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET<br>
> HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK<br>
> SIMD support: SSE_4_1 SSE_3<br>
> Atomic intrisics: 1 2 4 8 byte(s)<br>
> 32-bits, Little-endian architecture<br>
> GCC version 4.4.7 20120313 (Red Hat 4.4.7-16), C version 199901<br>
> L1 cache line size (CLS)=64<br>
> compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18<br>
> Suricata Configuration:<br>
> AF_PACKET support: yes<br>
> PF_RING support: no<br>
> NFQueue support: no<br>
> NFLOG support: no<br>
> IPFW support: no<br>
> DAG enabled: no<br>
> Napatech enabled: no<br>
> Unix socket enabled: no<br>
> Detection enabled: yes<br>
><br>
> libnss support: no<br>
> libnspr support: no<br>
> libjansson support: no<br>
> Prelude support: no<br>
> PCRE jit: no<br>
> LUA support: no<br>
> libluajit: no<br>
> libgeoip: no<br>
> Non-bundled htp: no<br>
> Old barnyard2 support: no<br>
> CUDA enabled: no<br>
><br>
> Suricatasc install: yes<br>
><br>
> Unit tests enabled: no<br>
> Debug output enabled: no<br>
> Debug validation enabled: no<br>
> Profiling enabled: no<br>
> Profiling locks enabled: no<br>
> Coccinelle / spatch: no<br>
><br>
> Generic build parameters:<br>
> Installation prefix (--prefix): /usr/local/suricata<br>
> Configuration directory (--sysconfdir): /usr/local/suricata/etc/suricata/<br>
> Log directory (--localstatedir) :<br>
> /usr/local/suricata/var/log/suricata/<br>
><br>
> Host: i686-pc-linux-gnu<br>
> GCC binary: gcc<br>
> GCC Protect enabled: no<br>
> GCC march native enabled: yes<br>
> GCC Profile enabled: no<br>
><br>
> On Thu, Nov 19, 2015 at 5:23 AM, Andreas Herz <<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>> wrote:<br>
><br>
> > On 18/11/15 at 23:24, Satish Patel wrote:<br>
> > > I am new user and just playing with IDS. I have install suricata-2.0.9<br>
> > > without any PF_RING or any other special flags etc.<br>
> ><br>
> > You did compile it by yourself?<br>
> > Can you post "suricata --build-info"?<br>
> ><br>
> > > I am running it on DL360 G8 with 4GB memory. following command i am<br>
> > using<br>
> > > to run on command line.<br>
> > ><br>
> > > ./suricata -c suricata.yaml -i eth1<br>
> ><br>
> > Please add -vv and post the output, so we can see if any relevant infos<br>
> > are logged.<br>
> ><br>
> > > on top command it is showing 200% CPU usage without any single rules (if<br>
> > i<br>
> > > load all rules it touch 350% CPU). my traffic rate would be 150mbps<br>
> > > around. ( I am using standard suricata.yaml config file without any<br>
> > > modification )<br>
> ><br>
> > You could use strace to see what happens.<br>
> > Does this happen without traffic, too?<br>
> ><br>
> > --<br>
> > Andreas Herz<br>
> ><br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Andreas Herz<br>
</font></span></blockquote></div><br></div>