[Oisf-users] Suricata using 35% cpu with no load?

Peter Manev petermanev at gmail.com
Thu Jul 30 20:41:37 UTC 2015



> On 30 jul 2015, at 20:58, Duane Howard <duane.security at gmail.com> wrote:
> 
> When closing suri it reports 0 packets for the interface I'm mainly concerned with. There's also nothing in fast or other logs to indicate traffic.
> 
> 30/7/2015 -- 19:58:41 - <Notice> - Stats for 'bond0':  pkts: 0, drop: 0 (-nan%), invalid chksum: 0
> 

What is the output of suricata --build-info ?

If you have perf tools installed have a look at what in Suricata uses the most CPU - 
perf top -p pidofsuri

Thanks 


>> On Thu, Jul 30, 2015 at 12:57 PM, Alan Wanderley dos Santos <alan.santos at rnp.br> wrote:
>> Didi you see the fast.log and others logs? 
>> 
>> Maybe there are some traffic (icmp or broadcast for example) coming to virtual machine, even little being data, can generated a lot of logs and degree the performance.
>> 
>> I had a similar situation on a VM of testing.
>> 
>> Just a shot into darkness rsrs
>> 
>> Regards,
>> 
>> -----------------------------------------------
>> Alan Santos
>> Analista de Seguran├ža
>> Centro de Atendimento a Incidentes de Seguran├ža (CAIS)
>> Rede Nacional de Ensino e Pesquisa (RNP)
>> (19) 3787-3314 | alan.santos at rnp.br
>> 
>> De: "Duane Howard" <duane.security at gmail.com>
>> Para: "oisf-users" <oisf-users at openinfosecfoundation.org>
>> Enviadas: Quinta-feira, 30 de julho de 2015 16:50:51
>> Assunto: [Oisf-users] Suricata using 35% cpu with no load?
>> 
>> I've got a random virtual testing machine, and I'm seeing Suricata sitting at about 35% CPU load, even though there's absolutely no traffic heading to it at the moment. Is there an easy way to get Suricata to tell me what it's doing that would cause this? It occurs on real interfaces with low traffic, loopback, as well as bonds where there's no trafic.
>> ./d
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150730/1d6d4ab9/attachment-0002.html>


More information about the Oisf-users mailing list