[Oisf-users] High CPU usage without any rules
Satish Patel
satish.txt at gmail.com
Thu Nov 19 15:51:37 UTC 2015
[root at sniffer bin]# ./suricata -c suricata.yaml -i eth1 -vv
19/11/2015 -- 10:50:10 - <Notice> - This is Suricata version 2.0.9 RELEASE
19/11/2015 -- 10:50:10 - <Info> - CPUs/cores online: 8
19/11/2015 -- 10:50:10 - <Info> - 'default' server has
'request-body-minimal-inspect-size' set to 33882 and
'request-body-inspect-window' set to 4053 after randomization.
19/11/2015 -- 10:50:10 - <Info> - 'default' server has
'response-body-minimal-inspect-size' set to 33695 and
'response-body-inspect-window' set to 4218 after randomization.
19/11/2015 -- 10:50:10 - <Info> - DNS request flood protection level: 500
19/11/2015 -- 10:50:10 - <Info> - DNS per flow memcap (state-memcap): 524288
19/11/2015 -- 10:50:10 - <Info> - DNS global memcap: 16777216
19/11/2015 -- 10:50:10 - <Info> - Found an MTU of 1500 for 'eth1'
19/11/2015 -- 10:50:10 - <Info> - allocated 2097152 bytes of memory for the
defrag hash... 65536 buckets of size 32
19/11/2015 -- 10:50:10 - <Info> - preallocated 65535 defrag trackers of
size 116
19/11/2015 -- 10:50:10 - <Info> - defrag memory usage: 9699212 bytes,
maximum: 33554432
19/11/2015 -- 10:50:10 - <Info> - AutoFP mode using default "Active
Packets" flow load balancer
19/11/2015 -- 10:50:10 - <Info> - preallocated 1024 packets. Total memory
2789376
19/11/2015 -- 10:50:10 - <Info> - allocated 262144 bytes of memory for the
host hash... 4096 buckets of size 64
19/11/2015 -- 10:50:10 - <Info> - preallocated 1000 hosts of size 72
19/11/2015 -- 10:50:10 - <Info> - host memory usage: 342144 bytes, maximum:
16777216
19/11/2015 -- 10:50:10 - <Info> - allocated 4194304 bytes of memory for the
flow hash... 65536 buckets of size 64
19/11/2015 -- 10:50:10 - <Info> - preallocated 10000 flows of size 188
19/11/2015 -- 10:50:10 - <Info> - flow memory usage: 6114304 bytes,
maximum: 67108864
19/11/2015 -- 10:50:10 - <Info> - stream "prealloc-sessions": 2048 (per
thread)
19/11/2015 -- 10:50:10 - <Info> - stream "memcap": 33554432
19/11/2015 -- 10:50:10 - <Info> - stream "midstream" session pickups:
disabled
19/11/2015 -- 10:50:10 - <Info> - stream "async-oneside": disabled
19/11/2015 -- 10:50:10 - <Info> - stream "checksum-validation": enabled
19/11/2015 -- 10:50:10 - <Info> - stream."inline": disabled
19/11/2015 -- 10:50:10 - <Info> - stream "max-synack-queued": 5
19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "memcap": 134217728
19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "depth": 1048576
19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "toserver-chunk-size":
2518
19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "toclient-chunk-size":
2584
19/11/2015 -- 10:50:10 - <Info> - stream.reassembly.raw: enabled
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 4, prealloc 256
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 16, prealloc 512
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 112, prealloc 512
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 248, prealloc 512
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 512, prealloc 512
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 768, prealloc 1024
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 1448, prealloc 1024
19/11/2015 -- 10:50:10 - <Info> - segment pool: pktsize 65535, prealloc 128
19/11/2015 -- 10:50:10 - <Info> - stream.reassembly "chunk-prealloc": 250
19/11/2015 -- 10:50:10 - <Info> - IP reputation disabled
19/11/2015 -- 10:50:10 - <Info> - using magic-file /usr/share/file/magic
19/11/2015 -- 10:50:10 - <Info> - Delayed detect disabled
19/11/2015 -- 10:50:10 - <Info> - 1 rule files processed. 1 rules
successfully loaded, 0 rules failed
19/11/2015 -- 10:50:10 - <Info> - 1 signatures processed. 1 are IP-only
rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are
decoder event only
19/11/2015 -- 10:50:10 - <Info> - building signature grouping structure,
stage 1: preprocessing rules... complete
19/11/2015 -- 10:50:10 - <Info> - building signature grouping structure,
stage 2: building source address list... complete
19/11/2015 -- 10:50:10 - <Info> - building signature grouping structure,
stage 3: building destination address lists... complete
19/11/2015 -- 10:50:10 - <Info> - Threshold config parsed: 0 rule(s) found
19/11/2015 -- 10:50:10 - <Info> - Core dump size set to unlimited.
19/11/2015 -- 10:50:10 - <Info> - fast output device (regular) initialized:
fast.log
19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] -
Eve-log support not compiled in. Reconfigure/recompile with libjansson and
its development files installed to add eve-log support.
19/11/2015 -- 10:50:10 - <Info> - Unified2-alert initialized: filename
unified2.alert, limit 32 MB
19/11/2015 -- 10:50:10 - <Info> - http-log output device (regular)
initialized: http.log
19/11/2015 -- 10:50:10 - <Info> - Using 1 live device(s).
19/11/2015 -- 10:50:10 - <Info> - using interface eth1
19/11/2015 -- 10:50:10 - <Info> - Running in 'auto' checksum mode.
Detection of interface state will require 1000 packets.
19/11/2015 -- 10:50:10 - <Info> - Found an MTU of 1500 for 'eth1'
19/11/2015 -- 10:50:10 - <Info> - Set snaplen to 1516 for 'eth1'
19/11/2015 -- 10:50:10 - <Info> - Generic Receive Offload is set on eth1
19/11/2015 -- 10:50:10 - <Info> - Large Receive Offload is unset on eth1
19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] -
Using Pcap capture with GRO or LRO activated can lead to capture problems.
19/11/2015 -- 10:50:10 - <Info> - RunModeIdsPcapAutoFp initialised
19/11/2015 -- 10:50:10 - <Notice> - all 13 packet processing threads, 3
management threads initialized, engine started.
19/11/2015 -- 10:50:10 - <Info> - No packets with invalid checksum,
assuming checksum offloading is NOT used
On Thu, Nov 19, 2015 at 10:10 AM, Andreas Herz <andi at geekosphere.org> wrote:
> Can you provide the verbose output from suricata?
> Just add -vv to your runcommand.
>
> Please keep the Mailinglist in CC :)
>
> On 19/11/15 at 10:03, Satish Patel wrote:
> > Thanks for reply, here is the answer of your question:
> >
> > 1. Without traffic CPU usage is 1 to 2% so its very low..
> > 2. I have checked on TAP interface traffic and its around 150mbps
> traffic..
> > all UDP/RTP. ( do you think this traffic is hight?)
> > 4. OS type: CentOS 6 (32bit) Linux
> > 3. Following build-info output
> >
> > [root at sniffer bin]# /usr/local/suricata/bin/suricata --build-info
> > This is Suricata version 2.0.9 RELEASE
> > Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
> > HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> > SIMD support: SSE_4_1 SSE_3
> > Atomic intrisics: 1 2 4 8 byte(s)
> > 32-bits, Little-endian architecture
> > GCC version 4.4.7 20120313 (Red Hat 4.4.7-16), C version 199901
> > L1 cache line size (CLS)=64
> > compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
> > Suricata Configuration:
> > AF_PACKET support: yes
> > PF_RING support: no
> > NFQueue support: no
> > NFLOG support: no
> > IPFW support: no
> > DAG enabled: no
> > Napatech enabled: no
> > Unix socket enabled: no
> > Detection enabled: yes
> >
> > libnss support: no
> > libnspr support: no
> > libjansson support: no
> > Prelude support: no
> > PCRE jit: no
> > LUA support: no
> > libluajit: no
> > libgeoip: no
> > Non-bundled htp: no
> > Old barnyard2 support: no
> > CUDA enabled: no
> >
> > Suricatasc install: yes
> >
> > Unit tests enabled: no
> > Debug output enabled: no
> > Debug validation enabled: no
> > Profiling enabled: no
> > Profiling locks enabled: no
> > Coccinelle / spatch: no
> >
> > Generic build parameters:
> > Installation prefix (--prefix): /usr/local/suricata
> > Configuration directory (--sysconfdir):
> /usr/local/suricata/etc/suricata/
> > Log directory (--localstatedir) :
> > /usr/local/suricata/var/log/suricata/
> >
> > Host: i686-pc-linux-gnu
> > GCC binary: gcc
> > GCC Protect enabled: no
> > GCC march native enabled: yes
> > GCC Profile enabled: no
> >
> > On Thu, Nov 19, 2015 at 5:23 AM, Andreas Herz <andi at geekosphere.org>
> wrote:
> >
> > > On 18/11/15 at 23:24, Satish Patel wrote:
> > > > I am new user and just playing with IDS. I have install
> suricata-2.0.9
> > > > without any PF_RING or any other special flags etc.
> > >
> > > You did compile it by yourself?
> > > Can you post "suricata --build-info"?
> > >
> > > > I am running it on DL360 G8 with 4GB memory. following command i am
> > > using
> > > > to run on command line.
> > > >
> > > > ./suricata -c suricata.yaml -i eth1
> > >
> > > Please add -vv and post the output, so we can see if any relevant infos
> > > are logged.
> > >
> > > > on top command it is showing 200% CPU usage without any single rules
> (if
> > > i
> > > > load all rules it touch 350% CPU). my traffic rate would be 150mbps
> > > > around. ( I am using standard suricata.yaml config file without any
> > > > modification )
> > >
> > > You could use strace to see what happens.
> > > Does this happen without traffic, too?
> > >
> > > --
> > > Andreas Herz
> > >
>
> --
> Andreas Herz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151119/4eb63d9f/attachment-0002.html>
More information about the Oisf-users
mailing list