[Oisf-users] Suricata 1.3.4 problem
Martin Holste
mcholste at gmail.com
Thu Dec 6 14:29:47 UTC 2012
Ok, then I'd be interested to know if upping the memcap from 1098M shows
the same behavior: max CPU due to hitting the memcap.
Maybe best to first try the new code Victor mentioned, though.
On Thu, Dec 6, 2012 at 7:09 AM, Paul Halliday <paul.halliday at gmail.com>wrote:
> Hi Martin,
>
> With those values changed the same thing happened.
>
> The only thing that was a little different was CPU utilization was far
> more varied. The time window from start to spike (200% utilization)
> was almost identical though.
>
> On Wed, Dec 5, 2012 at 9:05 PM, Martin Holste <mcholste at gmail.com> wrote:
> > Probably the flow timeouts as discussed earlier this week on the list.
> Try
> > out my aggressive flow timeout example and see if that fixes it.
> >
> >
> > On Wed, Dec 5, 2012 at 5:53 PM, Paul Halliday <paul.halliday at gmail.com>
> > wrote:
> >>
> >> Hi,
> >>
> >> Not quite sure whats happening but Suricata stops generating alerts
> >> after about 30 minutes of operation. Bandwidth during this test never
> >> peaked above 50. Running on FreeBSD 9.1
> >>
> >>
> >> MEM and CPU for the process (~30 second interval):
> >>
> >> 1354748069,804M,26.37%
> >> 1354748099,807M,25.15%
> >> 1354748129,812M,31.10%
> >> 1354748159,818M,26.76%
> >> ...
> >> 1354749629,1061M,27.25%
> >> 1354749659,1065M,24.27%
> >> 1354749689,1069M,26.12%
> >> 1354749719,1089M,26.12%
> >> 1354749749,1090M,36.38%
> >> 1354749779,1092M,108.30%
> >> 1354749809,1095M,108.11%
> >> 1354749839,1098M,108.06%
> >> 1354749869,1098M,196.78%
> >> 1354749899,1098M,200.00%
> >> 1354749929,1098M,200.00%
> >> 1354749959,1098M,200.00%
> >> 1354749989,1098M,200.00%
> >>
> >> In around the spike from 36 to 108 utilization Suricata throws this:
> >>
> >> 5/12/2012 -- 19:21:50 - <Info> - Flow emergency mode over, back to
> >> normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1354749710,
> >> ts.tv_usec:449629) flow_spare_q status(): 38% flows at the queue
> >>
> >> A knob I need to turn somewhere?
> >>
> >> Thanks!
> >>
> >> --
> >> Paul Halliday
> >> http://www.pintumbler.org/
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
> >
> >
>
>
>
> --
> Paul Halliday
> http://www.pintumbler.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121206/19763e4e/attachment-0002.html>
More information about the Oisf-users
mailing list