[Oisf-users] Suricata pegs a detect thread and drops packets

Cooper F. Nelson cnelson at ucsd.edu
Fri Jun 20 19:29:59 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you have transparent huge pages enabled in the kernel?

> $ sudo zcat /proc/config.gz | fgrep CONFIG_TRANSPARENT_HUGEPAGE
> CONFIG_TRANSPARENT_HUGEPAGE=y
> CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y

Before I enabled this I noticed suricata spending lots of time managing
memory.

- -Coop

On 6/20/2014 12:12 PM, David Vasil wrote:
> I was able to do this after Detect5 hit 100% and stayed there.  I
> reverted back to my originally compiled suricata 2.0.1 deb package
> (without --enable-debug) as that flag created a ton of overhead - as you
> mentioned, probably due to not being compiled with optimization - and it
> also ended up core dumping several times.  I copied the unstripped
> libhtp lib and suricata binary (again, without --enable-debug) to the
> appropriate destinations and was able to see the debugging symbols as
> expected.  Attached is a 'perf top' drilling into the annotated code
> within htp_list_array_get showing where the time is being spent (I
> assume).  9d99, not in the screenshot, shows the following:
> 
>     0.08 :            9d99:       repz retq 
>          :            free(l->elements);                 
>          :            free(l);    
>          :        } 
> 
> GDB from this is thread here: http://pastebin.com/3tfjTsL0
> 
> Thanks!
> -dave
> 
> On Fri, Jun 20, 2014 at 9:41 AM, Anoop Saldanha <anoopsaldanha at gmail.com
> <mailto:anoopsaldanha at gmail.com>> wrote:
> 
>     I don't think --enable-debug compiles it with optimization.  Instead
>     compile it without optimization, i.e. either -g -O0 or -g -03.  Copy
>     the new binaries over, like you previously did.  You will also have to
>     compile libhtp the same way.  You can either specify this in the
>     environment variable with configure or manually edit the configure
>     script and the makefiles, replacing all "-g -o2" with just "-g".
> 
>     1. You can start suricata, and wait for one of the detect threads to
>     hit the 100% cpu utilization mark(make a note of the detect
>     threadname).
>     2. One you see that, attach gdb to the running process, and print the
>     threads using "info threads".  If you see the offending thread stuck
>     in the libhtp get() function call, switch over to that thread using "t
>     <thread_number>" and do a "print l".  The symbol "l" is inside the
>     libhtp get() function call.  Unless you have the detect thread inside
>     the libhtp get() function scope that we are trying to trace, you won't
>     have the symbol available for printing.
>     3. If when you do a "info threads", you don't see any of the threads
>     currently inside htp get() function(gone out of scope at that instance
>     of time t), continue the process in gdb, and keep a tab on the threads
>     with top/htop, till you see the detect thread(s) again hit the 100%
>     cpu mark, post which you can interrupt the process inside gdb again
>     and hopefully find the detect thread still inside the libhtp get()
>     function context.
> 
>     With the issue at hand, once the thread gets pegged, you should be
>     able to zero-in on the thread pretty quickly.  In case you can't, I'll
>     provide a debug patch to corner the issue.
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTpIu3AAoJEKIFRYQsa8FWdqAH/2LutdYNjAfdALQcNolfyPl0
WAy8RdQxMvv9yEfeZDV9+NIG8xoVqE0/am/q6HD+YWK62IUsWdQPr/JMDEPv8+Rc
k8cSqlZ75DtBqOqVyGz5R/QwqIJ+TqYygPAxGYpsOM7TtVTQwLZhp00GXkDwobNv
BcnPY9Gu9QKoxAJz+2pKPNNivmCPsDpXIVwFShV/88lGWyhzRxxQnBdyB1Jx7yJR
sQr+2lT5s4hHYMA8EYFiZ7reIf3TFdQsN012tdq7SsB2oPxcC3xZeF2EDCehIozi
ldYQE2fnh1f88Wzb5FpBTLjsqGpmRKLYpBNhqrYUB8LQ2YOHbC5kFZJ2e5ou4Bk=
=M2b7
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list