[Oisf-users] Suricata 1.3.4 problem
Anoop Saldanha
anoopsaldanha at gmail.com
Thu Dec 6 16:04:21 UTC 2012
On Thu, Dec 6, 2012 at 9:30 PM, Victor Julien <lists at inliniac.net> wrote:
> On 12/06/2012 03:29 PM, Martin Holste wrote:
>> Ok, then I'd be interested to know if upping the memcap from 1098M shows
>> the same behavior: max CPU due to hitting the memcap.
>>
>> Maybe best to first try the new code Victor mentioned, though.
>
> I just pushed out 1.3.5, please try that if you want to stay on the 1.3
> branch. However, if 1.4rc1 works well you might as well stay on that.
>
> Cheers,
> Victor
>
>>
>>
>> On Thu, Dec 6, 2012 at 7:09 AM, Paul Halliday <paul.halliday at gmail.com
>> <mailto:paul.halliday at gmail.com>> wrote:
>>
>> Hi Martin,
>>
>> With those values changed the same thing happened.
>>
>> The only thing that was a little different was CPU utilization was far
>> more varied. The time window from start to spike (200% utilization)
>> was almost identical though.
>>
>> On Wed, Dec 5, 2012 at 9:05 PM, Martin Holste <mcholste at gmail.com
>> <mailto:mcholste at gmail.com>> wrote:
>> > Probably the flow timeouts as discussed earlier this week on the
>> list. Try
>> > out my aggressive flow timeout example and see if that fixes it.
>> >
>> >
>> > On Wed, Dec 5, 2012 at 5:53 PM, Paul Halliday
>> <paul.halliday at gmail.com <mailto:paul.halliday at gmail.com>>
>> > wrote:
>> >>
>> >> Hi,
>> >>
>> >> Not quite sure whats happening but Suricata stops generating alerts
>> >> after about 30 minutes of operation. Bandwidth during this test never
>> >> peaked above 50. Running on FreeBSD 9.1
>> >>
>> >>
>> >> MEM and CPU for the process (~30 second interval):
>> >>
>> >> 1354748069,804M,26.37%
>> >> 1354748099,807M,25.15%
>> >> 1354748129,812M,31.10%
>> >> 1354748159,818M,26.76%
>> >> ...
>> >> 1354749629,1061M,27.25%
>> >> 1354749659,1065M,24.27%
>> >> 1354749689,1069M,26.12%
>> >> 1354749719,1089M,26.12%
>> >> 1354749749,1090M,36.38%
>> >> 1354749779,1092M,108.30%
>> >> 1354749809,1095M,108.11%
>> >> 1354749839,1098M,108.06%
>> >> 1354749869,1098M,196.78%
>> >> 1354749899,1098M,200.00%
>> >> 1354749929,1098M,200.00%
>> >> 1354749959,1098M,200.00%
>> >> 1354749989,1098M,200.00%
>> >>
>> >> In around the spike from 36 to 108 utilization Suricata throws this:
>> >>
>> >> 5/12/2012 -- 19:21:50 - <Info> - Flow emergency mode over, back to
>> >> normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1354749710,
>> >> ts.tv_usec:449629) flow_spare_q status(): 38% flows at the queue
>> >>
>> >> A knob I need to turn somewhere?
>> >>
>> >> Thanks!
>> >>
>> >> --
>> >> Paul Halliday
>> >> http://www.pintumbler.org/
>> >> _______________________________________________
>> >> Suricata IDS Users mailing list:
>> oisf-users at openinfosecfoundation.org
>> <mailto:oisf-users at openinfosecfoundation.org>
>> >> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> >> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> OISF: http://www.openinfosecfoundation.org/
>> >
>> >
>>
>>
>>
>> --
>> Paul Halliday
>> http://www.pintumbler.org/
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
Looks like the flow dereference cleanup leak which is now fixed in 1.3.5.
--
Anoop Saldanha
More information about the Oisf-users
mailing list