[Oisf-users] High CPU usage without any rules
Satish Patel
satish.txt at gmail.com
Fri Nov 20 13:33:30 UTC 2015
Just checking, did you get my last email?
--
Sent from my iPhone
> On Nov 19, 2015, at 10:10 AM, Andreas Herz <andi at geekosphere.org> wrote:
>
> Can you provide the verbose output from suricata?
> Just add -vv to your runcommand.
>
> Please keep the Mailinglist in CC :)
>
>> On 19/11/15 at 10:03, Satish Patel wrote:
>> Thanks for reply, here is the answer of your question:
>>
>> 1. Without traffic CPU usage is 1 to 2% so its very low..
>> 2. I have checked on TAP interface traffic and its around 150mbps traffic..
>> all UDP/RTP. ( do you think this traffic is hight?)
>> 4. OS type: CentOS 6 (32bit) Linux
>> 3. Following build-info output
>>
>> [root at sniffer bin]# /usr/local/suricata/bin/suricata --build-info
>> This is Suricata version 2.0.9 RELEASE
>> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
>> HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
>> SIMD support: SSE_4_1 SSE_3
>> Atomic intrisics: 1 2 4 8 byte(s)
>> 32-bits, Little-endian architecture
>> GCC version 4.4.7 20120313 (Red Hat 4.4.7-16), C version 199901
>> L1 cache line size (CLS)=64
>> compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
>> Suricata Configuration:
>> AF_PACKET support: yes
>> PF_RING support: no
>> NFQueue support: no
>> NFLOG support: no
>> IPFW support: no
>> DAG enabled: no
>> Napatech enabled: no
>> Unix socket enabled: no
>> Detection enabled: yes
>>
>> libnss support: no
>> libnspr support: no
>> libjansson support: no
>> Prelude support: no
>> PCRE jit: no
>> LUA support: no
>> libluajit: no
>> libgeoip: no
>> Non-bundled htp: no
>> Old barnyard2 support: no
>> CUDA enabled: no
>>
>> Suricatasc install: yes
>>
>> Unit tests enabled: no
>> Debug output enabled: no
>> Debug validation enabled: no
>> Profiling enabled: no
>> Profiling locks enabled: no
>> Coccinelle / spatch: no
>>
>> Generic build parameters:
>> Installation prefix (--prefix): /usr/local/suricata
>> Configuration directory (--sysconfdir): /usr/local/suricata/etc/suricata/
>> Log directory (--localstatedir) :
>> /usr/local/suricata/var/log/suricata/
>>
>> Host: i686-pc-linux-gnu
>> GCC binary: gcc
>> GCC Protect enabled: no
>> GCC march native enabled: yes
>> GCC Profile enabled: no
>>
>>> On Thu, Nov 19, 2015 at 5:23 AM, Andreas Herz <andi at geekosphere.org> wrote:
>>>
>>>> On 18/11/15 at 23:24, Satish Patel wrote:
>>>> I am new user and just playing with IDS. I have install suricata-2.0.9
>>>> without any PF_RING or any other special flags etc.
>>>
>>> You did compile it by yourself?
>>> Can you post "suricata --build-info"?
>>>
>>>> I am running it on DL360 G8 with 4GB memory. following command i am
>>> using
>>>> to run on command line.
>>>>
>>>> ./suricata -c suricata.yaml -i eth1
>>>
>>> Please add -vv and post the output, so we can see if any relevant infos
>>> are logged.
>>>
>>>> on top command it is showing 200% CPU usage without any single rules (if
>>> i
>>>> load all rules it touch 350% CPU). my traffic rate would be 150mbps
>>>> around. ( I am using standard suricata.yaml config file without any
>>>> modification )
>>>
>>> You could use strace to see what happens.
>>> Does this happen without traffic, too?
>>>
>>> --
>>> Andreas Herz
>
> --
> Andreas Herz
More information about the Oisf-users
mailing list