[Oisf-users] High CPU usage without any rules

Sat Nov 21 13:08:05 UTC 2015

On Fri, Nov 20, 2015 at 7:00 PM, Satish Patel <satish.txt at gmail.com> wrote:
>
>
> On Fri, Nov 20, 2015 at 8:39 AM, Andreas Herz <andi at geekosphere.org> wrote:
>>
>> On 19/11/15 at 10:51, Satish Patel wrote:
>> > 19/11/2015 -- 10:50:10 - <Info> - 1 rule files processed. 1 rules
>> > successfully loaded, 0 rules failed
>>
>> What rule are you using? Is the load issue the same even without this
>> rule?
>
>
>
> For experiment, i have removed all rules from .yaml file and load is around
> 200%  with all rules load will be 350%
>

Can you share a screenshot of htop/top ?

> If i test with zero traffic load is around 1 or 2%.   Do you think 100mbps
> load is high?
>

Why dont you try apacket with 8 threads and with runmode workers - any diff?

>>
>>
>> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
>> > SC_ERR_NOT_SUPPORTED(225)] -
>> > Eve-log support not compiled in. Reconfigure/recompile with libjansson
>> > and
>> > its development files installed to add eve-log support.
>>
>> You might wanna exclude eve log from the config, but shouldn't be an
>> issue with the load
>>
>> > 19/11/2015 -- 10:50:10 - <Info> - Large Receive Offload is unset on eth1
>> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] -
>> > Using Pcap capture with GRO or LRO activated can lead to capture
>> > problems.
>>
>> Regarding this issue, read:
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>>
>> Section NIC Offloading
>
>
> Do you think this is related to PF_RING?
>
>>
>>
>> --
>> Andreas Herz
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

-- 
Regards,
Peter Manev