[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Anoop Saldanha anoopsaldanha at gmail.com
Mon Jul 8 23:51:33 EDT 2013


Cooper,

1. Can you reproduce this with every run?
2. Have you enabled the dns parser in the yaml?
3. Are event rules present in your loaded ruleset?
4. If (1) is true, can you locate the offending commit?

Possible to get a pcap(privately if you want) for this?

On Tue, Jul 9, 2013 at 5:49 AM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> Ok then it is probably not the same problem.
>
> -----Original Message-----
> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu]
> Sent: Monday, July 08, 2013 6:45 PM
> To: Leonard Jacobs
> Cc: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm on the latest 3.8 series kernel.  The 3.9 series kernel did not work with the Intel ixgbe driver.
>
> - -Coop
>
>>3.8.12-gentoo #1 SMP Sat May 11 16:43:33 UTC 2013 x86_64 Intel(R)
>>Xeon(R) CPU X5560 @ 2.80GHz GenuineIntel GNU/Linux
>
> On 7/8/2013 4:37 PM, Leonard Jacobs wrote:
>> I believe that there is a known problem before kernel 3.5 in Linux.
>>
>> -----Original Message-----
>> From: oisf-users-bounces at openinfosecfoundation.org
>> [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of
>> Cooper F. Nelson
>> Sent: Monday, July 08, 2013 5:08 PM
>> To: oisf-users at openinfosecfoundation.org
>> Subject: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
>>
>> See subject.  The current dev. release of suricata has an issue where threads will get stuck at 100% cpu utilization after running for some period of time and stop processing packets.  The process then needs to terminated via 'kill -9' and restarted to free up the cores.  This does not happen in the production release.
>>
>> Is this a known issue?  The dev. release otherwise performs much better in our environment.
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJR208CAAoJEKIFRYQsa8FWdREH/AhNu+YLqlzei5eJJ9JE3hIu
> 0XQWfn2E/8KUhdUzxEDwiQe2tttQr/DYRF+pRQx1hjGnwVafp01QhMYuBzE/tw/8
> BZKXCRxI4owJiW50gnxnwlOD53/OB1txoRbd+p4NZlGmniY96hQdnItspHdSKxMV
> kGfZEQ4nFRIJIwvbn2YwNvwEw9rLnFBUo5TXhwvfenS+oxGUErF2O4Hs9/skcNeq
> UKm1jmgKpT9SF0cMlFLrvTyheVqKYhI2Ruv3LcwwXAXyfBWceKIIeUOLQHH2omdc
> b4pIDnFcXOldnxvGghJXxcGoCv6EaeKT/K7q37mqngy54dSx5L9eouxzhA/JWyY=
> =7BOH
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------


More information about the Oisf-users mailing list