[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Thu Jul 11 03:25:34 UTC 2013

Cooper,

It would nicer if you can still run the master.  Helps us test the
master in general, and either ways the master has much better
performance than 1.4.x.

You can manually disable the dns parser for now by commenting out
these 2 lines -

diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index 41a899d..361bae6 100644
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -1342,8 +1342,8 @@ void RegisterAppLayerParsers(void)
     RegisterFTPParsers();
     RegisterSSHParsers();
     RegisterSMTPParsers();
-    RegisterDNSUDPParsers();
-    RegisterDNSTCPParsers();
+    //RegisterDNSUDPParsers();
+    //RegisterDNSTCPParsers();

On Thu, Jul 11, 2013 at 3:09 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'll have to ask my management about that.  I probably can share
> off-list the single packet captures we have of traffic flagged as
> non-DNS; but I use thresholding so it will only be the first packet of
> the transaction.  Full packet captures are probably not possible as we
> see gigabytes of data over port 53 every hour.
>
> I'm going to roll back to v1.4.3 for now so I can still monitor DNS
> traffic, thanks much for your help.
>
> - -Coop
>
> On 7/10/2013 2:06 PM, Victor Julien wrote:
>>
>> Are you able to share a capture of that non-dns port 53 traffic?
>>
>>> Additionally, is there a way to disable the various app-layer
>>> protocol handlers, either via suricata.yaml or at compile time?  I
>>> would still like to run the ET DNS sigs on our DNS traffic.
>>
>> Not yet, but it will be soon, for sure in 2.0final.
>>
>> Cheers,
>> Victor
>>
>>> -Coop
>>
>>> On 7/9/2013 11:46 PM, Peter Manev wrote:
>>>>>
>>>>> Question along those lines, what do the suricata devs feel
>>>>> about the various NIC offloading features re: interaction with
>>>>> suricata?
>>
>>>> These, I think should be OFF in general. Suricata must be able to
>>>> see the traffic as it is.
>>
>>>> Again , if I may, irqbalance and udp balancing are very
>>>> important.
>>
>>
>>
>>> _______________________________________________ Suricata IDS Users
>>> mailing list: oisf-users at openinfosecfoundation.org Site:
>>> http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/ List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>> OISF: http://www.openinfosecfoundation.org/
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJR3dR2AAoJEKIFRYQsa8FWcFYIALxRpGDeTJSIOd7kpv1o1opx
> dqIurQSo0MujCFwRsF4lVeLpTsCnGdDpCPLQxnDF8WbxuCEdgm5DtO6xQvmeC43u
> jYsw8eph0Mt0aghnm+PLavWf0bCrPgQPCiqNewgpNaDvEtpCYaXJ0Oy49gCnBI3J
> cYTAYAIFCijmYoHQ1F4gmGVzg67fhTdGNOzdSbzBnRDBriem9n3TC9w5kQXWX2DX
> pgvgQ7/1eVx1k6k/UtErxEUPZQrDFGfXVfJMCEdzpb+QUKRZ/IqzMAicvwGb+gY4
> 22PzEE4oVsQ3+RFmaz9TdMpXN5ZIxQExCqGPDulMvT1WHOl/bFUzBuf4a3MXDmY=
> =//oy
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

