[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Tue Jul 9 19:49:18 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/9/2013 12:17 AM, Peter Manev wrote:
> 
> Did this just happen after a reboot ? And/or kernel upgrade? Just
> making sure that the network card drivers are the latest and
> installed.

This is a gentoo box that has been up for a couple months.  I tried
updating the driver yesterday after rebooting, the kernel today and have
reverted all local settings/optimizations to the OISF defaults as
recommend for a 10Gb system.

Under this configuration it definitely runs better (the load average
stays under 10), but a few threads still end up wedging after about
20million packets each.  Over time the rest of the threads also
eventually exhibit the same behavior.

> Do you eventually run out of memory?

I haven't yet, but I can see the memory usage slowly increasing.  I have
48 gigs on this system so it would take awhile for it to run out.

I have noticed that I've started getting these errors in the
suricata.log file.  Is this the new 'dns parsers' feature?  Is there a
way to disable it to see if that's where the memory leak is?

> [21615] 9/7/2013 -- 19:38:31 - (app-layer-dns-common.c:420) <Info> (DNSResponseGetNameByOffset) -- input buffer too small for domain of len 192

> Something similar happened to our testing machine but htere we fixed
> it with loading the latest kernel drivers for the network card and
> doing a
> " /etc/init.d/irqbalance restart "
> and load balancing the UDP flow again -
> "
> ethtool -n eth3 rx-flow-hash udp4
> ethtool -g eth3
> cat /proc/interrupts
> "
> on Ubuntu LTS - 3.2 kernel

Question along those lines, what do the suricata devs feel about the
various NIC offloading features re: interaction with suricata?

See: >
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html

I had these features disabled as per this article; but I've re-enabled
them for testing.

- -Coop

> 
> Thanks
> 
> --
> Regards,
> Peter Manev
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR3Gk+AAoJEKIFRYQsa8FWyPQH/jYcNv2/wpksHgFjCxpb8UgV
Q37ozxZADd0ZvKNiJL1p34tDbI/XakMyOftDRIAgD1Z0BKIvXlmzXSlzPCOcRMCZ
7xy3WE9ZMPtPH+kX7cDj8whJS6jp4IyuT0UPCAcDwKhZ1VRH3CEtcPzOfq08Frk5
HzczgI/AQB5Siwd/nDTseOjnZGOzXjQUnFL0TSfDBM5FkDfxl5t29BcvWpO0TwMV
dcErC7fpn3rRdQpI6/8+1HI66UUhnPkckjdR8kyqur8wWWc1e1CXIohyXF6J+fgk
+IAIviZfAscbjiky6fg7ikGz0BaanCjL+W6CsaCa4LfDHZBG5gAWyvG4Sn91STs=
=sH+e
-----END PGP SIGNATURE-----