[Oisf-devel] Suricata 1.3.4 freezing with 100% CPU Consumption

Eduardo Meyer dudu.meyer at gmail.com
Wed Aug 21 22:55:13 UTC 2013 

Dear rmkml,

I did it. On firt run, it stucked on startup at full CPU usage, as Suricata
always does when it starts. But it never came back, looped 100% CPU usage
forever.

I killed it 4 minutes later. Restarted and now it is running fine, almost
2h without any issue. Seems more stable, besides that strange first startup.

I will keep monitoring its behavior, thanks for suggesting the obvious. I
relied on FreeBSD ports and was sure I was running latest, seems I am so
wrong ;-)

Meanwhile, what causes this warning?

21/8/2013 -- 19:04:16 - <Warning> - [ERRCODE: SC_WARN_OUTDATED_LIBHTP(202)]
- libhtp < 0.2.7 detected. Keyword http_raw_header will not be able to
inspect response headers.

According to the message it seems that my libhtp is old, minor than 0.2.7.
However it's 3.0:

# ldd /usr/local/bin/suricata
/usr/local/bin/suricata:
    libmagic.so.4 => /usr/lib/libmagic.so.4 (0x80093c000)
    libhtp-0.3.so.1 => /usr/local/lib/libhtp-0.3.so.1 (0x800a55000)
    libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x800b6e000)
    libz.so.5 => /lib/libz.so.5 (0x800d68000)
    libpcap.so.7 => /lib/libpcap.so.7 (0x800e7d000)
    libnet.so.8 => /usr/local/lib/libnet11/libnet.so.8 (0x800fae000)
    libthr.so.3 => /lib/libthr.so.3 (0x8010c6000)
    libyaml-0.so.2 => /usr/local/lib/libyaml-0.so.2 (0x8011df000)
    libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x8012fe000)
    libc.so.7 => /lib/libc.so.7 (0x801458000)
# pkg_info -x libhtp
Information for libhtp-0.3.0_2:

Comment:
Security-aware parser for the HTTP protocol

Should I care about this warning?


On Wed, Aug 21, 2013 at 6:18 PM, rmkml <rmkml at yahoo.fr> wrote:

> Hi Eduardo,
> Could you try with latest v1.4.5 if you have same pb please ?
> Regards
> @Rmkml
>
>
>
> On Wed, 21 Aug 2013, Eduardo Meyer wrote:
>
>  Dear all,
>>
>> I have a similar behavior here with Suricata 1.3.4 to that one reported
>> previously on suricata 2.0. But here, I am running FreeBSD.
>>
>> The behavior is: Suricata runs just fine for a couple minutes. Some times
>> a couple hours. Suddenly it freezes, but does not crash. It goes to 100%
>> CPU usage without a reson, with no relevant logs.
>>
>> System info:
>>
>> # uname -sr
>> FreeBSD 8.3-STABLE
>> # suricata -V
>> This is Suricata version 1.3.4 RELEASE
>>
>> Here is the output from "top -PH" when Suricata freezes:
>>
>> last pid: 58672;  load averages:  2.20,  2.14,
>> 1.70                          **                 up 56+21:32:10  16:42:22
>> 43 processes:  3 running, 40 sleeping
>> CPU 0: 85.8% user,  0.0% nice,  0.7% system,  0.0% interrupt, 13.5% idle
>> CPU 1: 13.9% user,  0.0% nice, 10.5% system,  0.0% interrupt, 75.6% idle
>> CPU 2: 18.0% user,  0.0% nice,  8.6% system,  0.0% interrupt, 73.3% idle
>> CPU 3: 80.5% user,  0.0% nice,  1.9% system,  0.0% interrupt, 17.6% idle
>> Mem: 654M Active, 492M Inact, 917M Wired, 908K Cache, 827M Buf, 5820M Free
>> Swap: 4096M Total, 5644K Used, 4090M Free
>>
>>   PID USERNAME      PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
>> 58385 root          119    0   814M   667M CPU3    3  18:48 100.00%
>> suricata{FlowManagerThre}
>> 58385 root          119    0   814M   667M CPU0    0  17:40 100.00%
>> suricata{RxPcapem31}
>> 95227 root           44    0 27264K  5864K select  3 126:48  0.39% snmpd
>>  2852 nagios         44    0  6888K  1024K select  1   4:02  0.00% nrpe2
>> 41132 root           44    0 23984K  1924K nanslp  1   3:23  0.00%
>> snortsam{snortsam}
>> 58385 root           44    0   814M   667M ucond   2   0:50  0.00%
>> suricata{Detect1}
>> 58385 root           44    0   814M   667M ucond   2   0:43  0.00%
>> suricata{Detect2}
>> 58385 root           44    0   814M   667M ucond   2   0:33  0.00%
>> suricata{Detect3}
>> 58385 root           44    0   814M   667M ucond   1   0:27  0.00%
>> suricata{Detect4}
>> 58385 root           44    0   814M   667M ucond   2   0:23  0.00%
>> suricata{Detect5}
>>  2087 root           44    0  6924K   956K select  1   0:15  0.00% syslogd
>> 58385 root           44    0   814M   667M ucond   2   0:13  0.00%
>> suricata{Detect6}
>>  2490 root           44    0  7980K  1008K nanslp  1   0:11  0.00% cron
>> 58385 root           44    0   814M   667M nanslp  2   0:11  0.00%
>> suricata{suricata}
>> 57994 root           44    0 24096K  9604K nanslp  2   0:02  0.00%
>> barnyard2
>>  2481 root           44    0 26180K  1216K select  2   0:01  0.00% sshd
>> 58553 root           44    0  9376K  2164K CPU1    2   0:00  0.00% top
>>  2311 root           48    0  5832K   972K select  3   0:00  0.00% rsync
>> 58367 root           44    0  5828K   900K kqread  3   0:00  0.00% tail
>> 58346 freebsdbrasil  44    0 38116K  4312K select  1   0:00  0.00% sshd
>> 58385 root           44    0   814M   667M ucond   1   0:00  0.00%
>> suricata{SCPerfWakeupThr}
>>
>> Both FlowManagerThred and RxPcapem31 goes to 100% CPU and the DetectX
>> threads that were running just fine, becomes dead with 0% CPU usage.
>>
>> It wont fix untill Suricata is killed -9 and later restarted.
>>
>> It started happening a couple days ago, without and relevant change on
>> the system or suricata itself. Only Barnyard's block-sid.map is frequently
>> updated.
>>
>> How can some of you help me? Any suggestions on the possible causes for
>> this behavior?
>>
>> Thank you in advance!!
>>
>> --
>> ===========
>> Eduardo Meyer
>> pessoal: dudu.meyer at gmail.com
>> profissional: ddm.farmaciap at saude.gov.br
>>
>>


-- 
===========
Eduardo Meyer
pessoal: dudu.meyer at gmail.com
profissional: ddm.farmaciap at saude.gov.br
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130821/000f9686/attachment-0002.html>

More information about the Oisf-devel mailing list