[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Tue Jul 9 04:03:16 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/8/2013 8:51 PM, Anoop Saldanha wrote:
> Cooper,
> 
> 1. Can you reproduce this with every run?

Yes.

> 2. Have you enabled the dns parser in the yaml?

No.

> 3. Are event rules present in your loaded ruleset?

No.

> 4. If (1) is true, can you locate the offending commit?

Unfortunately, no.  I think it was during the week prior to June 21st,
as I went on vacation that day and reverted back to the stable release
to address the issue.

> Possible to get a pcap(privately if you want) for this?

That would be difficult.  It's a production 10Gb system and it happens
regardless of traffic after a period of time.  I followed this guide
almost exactly:

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

I think if you try the current 2.0 series dev branch in that
configuration against live traffic you can reproduce the issue.

It may be related to this issue, the symptoms are identical:

http://comments.gmane.org/gmane.comp.security.ids.oisf.user/2438

> On Tue, Jul 9, 2013 at 5:49 AM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
>> Ok then it is probably not the same problem.
>>
>> -----Original Message-----
>> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu]
>> Sent: Monday, July 08, 2013 6:45 PM
>> To: Leonard Jacobs
>> Cc: oisf-users at openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
>>
> I'm on the latest 3.8 series kernel.  The 3.9 series kernel did not work with the Intel ixgbe driver.
> 
> -Coop
> 
>>>> 3.8.12-gentoo #1 SMP Sat May 11 16:43:33 UTC 2013 x86_64 Intel(R)
>>>> Xeon(R) CPU X5560 @ 2.80GHz GenuineIntel GNU/Linux
> 
> On 7/8/2013 4:37 PM, Leonard Jacobs wrote:
>>>> I believe that there is a known problem before kernel 3.5 in Linux.
>>>>
>>>> -----Original Message-----
>>>> From: oisf-users-bounces at openinfosecfoundation.org
>>>> [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of
>>>> Cooper F. Nelson
>>>> Sent: Monday, July 08, 2013 5:08 PM
>>>> To: oisf-users at openinfosecfoundation.org
>>>> Subject: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
>>>>
>>>> See subject.  The current dev. release of suricata has an issue where threads will get stuck at 100% cpu utilization after running for some period of time and stop processing packets.  The process then needs to terminated via 'kill -9' and restarted to free up the cores.  This does not happen in the production release.
>>>>
>>>> Is this a known issue?  The dev. release otherwise performs much better in our environment.
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> OISF: http://www.openinfosecfoundation.org/
>>>>
> 
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR24uEAAoJEKIFRYQsa8FWEdsH/2HgAi2sLfU01qVv4z1R/LRK
EtuvEjZmyM9NRVu6rYOu+7CNF8R5putjnomJ0tTY5MWpMDtwTNAwg2wMa4UhOy/J
+Qz+EPsljV9OC90tG+rQvC3xKO61d5pXh33lB3QmClUZY26XVEP8nIPuG/NKhCqb
mEdtT+3BEow712hbqmTlyJOwc3vBcFW2p3fwjgTBFCKFVuZKdwJaUwALHpqTQ26E
RXZlqnvXzLRxQNgnAHAZa/164sXFgLkOevXdQ7+c+4NAZ4bkfNK0bsebm41vdXna
ssCU8bfJJvW1QsplpetCZRYTAiv1/pIczeWWihI+lR4zOhyeXDwxXtg3vM/q/jc=
=/cMz
-----END PGP SIGNATURE-----