[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?
Duarte Silva
duarte.silva at serializing.me
Tue Jul 9 08:39:07 UTC 2013
On Monday 08 July 2013 21:03:16 Cooper F. Nelson wrote:
> On 7/8/2013 8:51 PM, Anoop Saldanha wrote:
> > Cooper,
> >
> > 1. Can you reproduce this with every run?
>
> Yes.
>
> > 2. Have you enabled the dns parser in the yaml?
>
> No.
>
> > 3. Are event rules present in your loaded ruleset?
>
> No.
>
> > 4. If (1) is true, can you locate the offending commit?
>
> Unfortunately, no. I think it was during the week prior to June 21st,
> as I went on vacation that day and reverted back to the stable release
> to address the issue.
>
> > Possible to get a pcap(privately if you want) for this?
>
> That would be difficult. It's a production 10Gb system and it happens
> regardless of traffic after a period of time. I followed this guide
> almost exactly:
>
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>
> I think if you try the current 2.0 series dev branch in that
> configuration against live traffic you can reproduce the issue.
>
> It may be related to this issue, the symptoms are identical:
>
> http://comments.gmane.org/gmane.comp.security.ids.oisf.user/2438
Hi Cooper,
you can compare back traces with the ones attached to the issue 822 [1] in
Suricata bug tracker.
Best regards,
Duarte Silva
[1] https://redmine.openinfosecfoundation.org/issues/822
>
> > On Tue, Jul 9, 2013 at 5:49 AM, Leonard Jacobs <ljacobs at netsecuris.com>
wrote:
> >> Ok then it is probably not the same problem.
> >>
> >> -----Original Message-----
> >> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu]
> >> Sent: Monday, July 08, 2013 6:45 PM
> >> To: Leonard Jacobs
> >> Cc: oisf-users at openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in
> >> AF_PACKET + workers mode?>
> > I'm on the latest 3.8 series kernel. The 3.9 series kernel did not work
> > with the Intel ixgbe driver.
> >
> > -Coop
> >
> >>>> 3.8.12-gentoo #1 SMP Sat May 11 16:43:33 UTC 2013 x86_64 Intel(R)
> >>>> Xeon(R) CPU X5560 @ 2.80GHz GenuineIntel GNU/Linux
> >
> > On 7/8/2013 4:37 PM, Leonard Jacobs wrote:
> >>>> I believe that there is a known problem before kernel 3.5 in Linux.
> >>>>
> >>>> -----Original Message-----
> >>>> From: oisf-users-bounces at openinfosecfoundation.org
> >>>> [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of
> >>>> Cooper F. Nelson
> >>>> Sent: Monday, July 08, 2013 5:08 PM
> >>>> To: oisf-users at openinfosecfoundation.org
> >>>> Subject: [Oisf-users] Suricata 2.0 dev, 100% cpu utilization in
> >>>> AF_PACKET + workers mode?
> >>>>
> >>>> See subject. The current dev. release of suricata has an issue where
> >>>> threads will get stuck at 100% cpu utilization after running for some
> >>>> period of time and stop processing packets. The process then needs to
> >>>> terminated via 'kill -9' and restarted to free up the cores. This
> >>>> does not happen in the production release.
> >>>>
> >>>> Is this a known issue? The dev. release otherwise performs much better
> >>>> in our environment.
> >>>>
> >>>> _______________________________________________
> >>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>>> Site: http://suricata-ids.org | Support:
> >>>> http://suricata-ids.org/support/
> >>>> List:
> >>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>>> OISF: http://www.openinfosecfoundation.org/
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list