[Oisf-users] High CPU usage without any rules
Satish Patel
satish.txt at gmail.com
Fri Nov 20 18:00:54 UTC 2015
On Fri, Nov 20, 2015 at 8:39 AM, Andreas Herz <andi at geekosphere.org> wrote:
> On 19/11/15 at 10:51, Satish Patel wrote:
> > 19/11/2015 -- 10:50:10 - <Info> - 1 rule files processed. 1 rules
> > successfully loaded, 0 rules failed
>
> What rule are you using? Is the load issue the same even without this
> rule?
>
For experiment, i have removed all rules from .yaml file and load is around
200% with all rules load will be 350%
If i test with zero traffic load is around 1 or 2%. Do you think 100mbps
load is high?
>
> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
> SC_ERR_NOT_SUPPORTED(225)] -
> > Eve-log support not compiled in. Reconfigure/recompile with libjansson
> and
> > its development files installed to add eve-log support.
>
> You might wanna exclude eve log from the config, but shouldn't be an
> issue with the load
> 19/11/2015 -- 10:50:10 - <Info> - Large Receive Offload is unset on eth1
> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] -
> > Using Pcap capture with GRO or LRO activated can lead to capture
> problems.
>
> Regarding this issue, read:
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>
> Section NIC Offloading
>
Do you think this is related to PF_RING?
>
> --
> Andreas Herz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151120/60106f69/attachment-0002.html>
More information about the Oisf-users
mailing list