[Oisf-users] suricata freezes if no or little traffic is present on monitored interface

Victor Julien lists at inliniac.net
Mon Dec 14 15:43:23 UTC 2015 

On 14-12-15 16:30, Yasha Zislin wrote:
> I have been observing the following issue on multiple Suricata sensors.
> When SPAN/TAP port has 0 packets and small amount of broadcast packets,
> Suricata has issues. It hangs. If you try to do a rule-reload, it gets
> hang up on the last step where it says complete. Here is a few lines
> from suricata.log
> 14/12/2015 -- 09:39:00 - <Info> - building signature grouping structure,
> stage 1: preprocessing rules... complete
> 14/12/2015 -- 09:39:01 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 14/12/2015 -- 09:49:51 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> 14/12/2015 -- 09:50:54 - <Info> - Threshold config parsed: 71 rule(s) found
> 14/12/2015 -- 09:50:54 - <Notice> - rule reload starting
> 14/12/2015 -- 09:50:54 - <Info> - Live rule swap has swapped 15 old
> det_ctx's with new ones, along with the new de_ctx
> 
> It is supposed to say rule reload complete in the end.
> After this rule reload, CPU load on Suricata is almost non-existent. I
> assume that means that it doesnt inspect or maybe because there is no
> load since not  much traffic present.
> 
> So after this reload fails. I cannot stop suricata until a kill the process.
> I am running CentOS 6 64 bit with suricata 2.1 beta4.
> I have not tried Suricata 3.0RC.
> 
> I am curious to see if there is a way to fix that on my current version.

IIRC you are on PF_RING? Our PF_RING support has this problem (also with
shutdown) because it blocks the thread while waiting for packets. In
other capture methods the read times out after some time, but the
PF_RING API doesn't support this directly.

Some work has been done by Alfredo from ntop, but it was never
completed: https://github.com/inliniac/suricata/pull/1696

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list