[Oisf-users] suricata freezes if no or little traffic is present on monitored interface
Yasha Zislin
coolyasha at hotmail.com
Mon Dec 14 15:30:23 UTC 2015
I have been observing the following issue on multiple Suricata sensors.When SPAN/TAP port has 0 packets and small amount of broadcast packets, Suricata has issues. It hangs. If you try to do a rule-reload, it gets hang up on the last step where it says complete. Here is a few lines from suricata.log14/12/2015 -- 09:39:00 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete14/12/2015 -- 09:39:01 - <Info> - building signature grouping structure, stage 2: building source address list... complete14/12/2015 -- 09:49:51 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete14/12/2015 -- 09:50:54 - <Info> - Threshold config parsed: 71 rule(s) found14/12/2015 -- 09:50:54 - <Notice> - rule reload starting14/12/2015 -- 09:50:54 - <Info> - Live rule swap has swapped 15 old det_ctx's with new ones, along with the new de_ctx
It is supposed to say rule reload complete in the end.After this rule reload, CPU load on Suricata is almost non-existent. I assume that means that it doesnt inspect or maybe because there is no load since not much traffic present.
So after this reload fails. I cannot stop suricata until a kill the process.I am running CentOS 6 64 bit with suricata 2.1 beta4.I have not tried Suricata 3.0RC.
I am curious to see if there is a way to fix that on my current version.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151214/2e44bcf8/attachment.html>
More information about the Oisf-users
mailing list