[Oisf-users] High CPU usage without any rules

Andreas Herz andi at geekosphere.org
Thu Nov 19 15:10:43 UTC 2015 

Can you provide the verbose output from suricata?
Just add -vv to your runcommand.

Please keep the Mailinglist in CC :)

On 19/11/15 at 10:03, Satish Patel wrote:
> Thanks for reply, here is the answer of your question:
> 
> 1. Without traffic CPU usage is 1 to 2% so its very low..
> 2. I have checked on TAP interface traffic and its around 150mbps traffic..
> all UDP/RTP.  ( do you think this traffic is hight?)
> 4. OS type: CentOS 6 (32bit) Linux
> 3. Following build-info output
> 
> [root at sniffer bin]# /usr/local/suricata/bin/suricata --build-info
> This is Suricata version 2.0.9 RELEASE
> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
> HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> SIMD support: SSE_4_1 SSE_3
> Atomic intrisics: 1 2 4 8 byte(s)
> 32-bits, Little-endian architecture
> GCC version 4.4.7 20120313 (Red Hat 4.4.7-16), C version 199901
> L1 cache line size (CLS)=64
> compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
> Suricata Configuration:
>   AF_PACKET support:                       yes
>   PF_RING support:                         no
>   NFQueue support:                         no
>   NFLOG support:                           no
>   IPFW support:                            no
>   DAG enabled:                             no
>   Napatech enabled:                        no
>   Unix socket enabled:                     no
>   Detection enabled:                       yes
> 
>   libnss support:                          no
>   libnspr support:                         no
>   libjansson support:                      no
>   Prelude support:                         no
>   PCRE jit:                                no
>   LUA support:                             no
>   libluajit:                               no
>   libgeoip:                                no
>   Non-bundled htp:                         no
>   Old barnyard2 support:                   no
>   CUDA enabled:                            no
> 
>   Suricatasc install:                      yes
> 
>   Unit tests enabled:                      no
>   Debug output enabled:                    no
>   Debug validation enabled:                no
>   Profiling enabled:                       no
>   Profiling locks enabled:                 no
>   Coccinelle / spatch:                     no
> 
> Generic build parameters:
>   Installation prefix (--prefix):          /usr/local/suricata
>   Configuration directory (--sysconfdir):  /usr/local/suricata/etc/suricata/
>   Log directory (--localstatedir) :
>  /usr/local/suricata/var/log/suricata/
> 
>   Host:                                    i686-pc-linux-gnu
>   GCC binary:                              gcc
>   GCC Protect enabled:                     no
>   GCC march native enabled:                yes
>   GCC Profile enabled:                     no
> 
> On Thu, Nov 19, 2015 at 5:23 AM, Andreas Herz <andi at geekosphere.org> wrote:
> 
> > On 18/11/15 at 23:24, Satish Patel wrote:
> > > I am new user and just playing with IDS. I have install suricata-2.0.9
> > > without any PF_RING or any other special flags etc.
> >
> > You did compile it by yourself?
> > Can you post "suricata --build-info"?
> >
> > > I am running it on DL360  G8 with 4GB memory. following command i am
> > using
> > > to run on command line.
> > >
> > > ./suricata -c suricata.yaml -i eth1
> >
> > Please add -vv and post the output, so we can see if any relevant infos
> > are logged.
> >
> > > on top command it is showing 200% CPU usage without any single rules (if
> > i
> > > load all rules it touch 350% CPU). my traffic rate would be 150mbps
> > > around.  ( I am using standard suricata.yaml config file without any
> > > modification )
> >
> > You could use strace to see what happens.
> > Does this happen without traffic, too?
> >
> > --
> > Andreas Herz
> >

-- 
Andreas Herz

More information about the Oisf-users mailing list