[Oisf-devel] Suricata 1.3.4 freezing with 100% CPU Consumption

Eduardo Meyer dudu.meyer at gmail.com
Wed Aug 21 20:06:59 UTC 2013 

Dear all,

I have a similar behavior here with Suricata 1.3.4 to that one reported
previously on suricata 2.0. But here, I am running FreeBSD.

The behavior is: Suricata runs just fine for a couple minutes. Some times a
couple hours. Suddenly it freezes, but does not crash. It goes to 100% CPU
usage without a reson, with no relevant logs.

System info:

# uname -sr
FreeBSD 8.3-STABLE
# suricata -V
This is Suricata version 1.3.4 RELEASE

Here is the output from "top -PH" when Suricata freezes:

last pid: 58672;  load averages:  2.20,  2.14,
1.70                                           up 56+21:32:10  16:42:22
43 processes:  3 running, 40 sleeping
CPU 0: 85.8% user,  0.0% nice,  0.7% system,  0.0% interrupt, 13.5% idle
CPU 1: 13.9% user,  0.0% nice, 10.5% system,  0.0% interrupt, 75.6% idle
CPU 2: 18.0% user,  0.0% nice,  8.6% system,  0.0% interrupt, 73.3% idle
CPU 3: 80.5% user,  0.0% nice,  1.9% system,  0.0% interrupt, 17.6% idle
Mem: 654M Active, 492M Inact, 917M Wired, 908K Cache, 827M Buf, 5820M Free
Swap: 4096M Total, 5644K Used, 4090M Free

  PID USERNAME      PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
58385 root          119    0   814M   667M CPU3    3  18:48 100.00%
suricata{FlowManagerThre}
58385 root          119    0   814M   667M CPU0    0  17:40 100.00%
suricata{RxPcapem31}
95227 root           44    0 27264K  5864K select  3 126:48  0.39% snmpd
 2852 nagios         44    0  6888K  1024K select  1   4:02  0.00% nrpe2
41132 root           44    0 23984K  1924K nanslp  1   3:23  0.00%
snortsam{snortsam}
58385 root           44    0   814M   667M ucond   2   0:50  0.00%
suricata{Detect1}
58385 root           44    0   814M   667M ucond   2   0:43  0.00%
suricata{Detect2}
58385 root           44    0   814M   667M ucond   2   0:33  0.00%
suricata{Detect3}
58385 root           44    0   814M   667M ucond   1   0:27  0.00%
suricata{Detect4}
58385 root           44    0   814M   667M ucond   2   0:23  0.00%
suricata{Detect5}
 2087 root           44    0  6924K   956K select  1   0:15  0.00% syslogd
58385 root           44    0   814M   667M ucond   2   0:13  0.00%
suricata{Detect6}
 2490 root           44    0  7980K  1008K nanslp  1   0:11  0.00% cron
58385 root           44    0   814M   667M nanslp  2   0:11  0.00%
suricata{suricata}
57994 root           44    0 24096K  9604K nanslp  2   0:02  0.00% barnyard2
 2481 root           44    0 26180K  1216K select  2   0:01  0.00% sshd
58553 root           44    0  9376K  2164K CPU1    2   0:00  0.00% top
 2311 root           48    0  5832K   972K select  3   0:00  0.00% rsync
58367 root           44    0  5828K   900K kqread  3   0:00  0.00% tail
58346 freebsdbrasil  44    0 38116K  4312K select  1   0:00  0.00% sshd
58385 root           44    0   814M   667M ucond   1   0:00  0.00%
suricata{SCPerfWakeupThr}

Both FlowManagerThred and RxPcapem31 goes to 100% CPU and the DetectX
threads that were running just fine, becomes dead with 0% CPU usage.

It wont fix untill Suricata is killed -9 and later restarted.

It started happening a couple days ago, without and relevant change on the
system or suricata itself. Only Barnyard's block-sid.map is frequently
updated.

How can some of you help me? Any suggestions on the possible causes for
this behavior?

Thank you in advance!!

-- 
===========
Eduardo Meyer
pessoal: dudu.meyer at gmail.com
profissional: ddm.farmaciap at saude.gov.br
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130821/4fdb21fc/attachment.html>

More information about the Oisf-devel mailing list