[Oisf-users] random suricata 3.0 reload issues

Charles Dillard charlesdillard at hotmail.com
Tue Dec 18 20:47:59 UTC 2018

Hello, could use your opinion on suricata issue

Running suricata 3.0 on Centos 7.4  (3.10.0-862.14.4.el7.x86_64) Dell PowerEdge 720s, 730s

Automation pushes rules to 400+ servers where a script places them in a directory for suricata to see, then reloads the rules with this:

kill -SIGUSR2 $(pid)  ( https://media.readthedocs.org/pdf/suricata/suricata-3.2.2/suricata.pdf   says "kill -USR2 pid" -- don't have USR2 on our systems!)

On most servers this reload works fine. On about 5-10 percent, reload occurs -- because it's logged -- but can see the rules did not reload. This can be seen in a file we write output to.

On servers with this issue, load is very low (logging top every minute) and vulnerabilities logged in output file is low and is not changing. No smoking gun in logs.

Thread counts vary across the grid: 6, 7, 13, 15. Lua is lua-5.1.4-15.el7.x86_64  pfring is pfring-6.4.1-4_ESG.x86_64

This reload sluggishness is generally random. The rules generally reload after several hours, but a check is performed every 10 minutes, so rules should be updating more quickly.

I call this problem "random"

Was wondering if anyone had seen this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181218/9a2056aa/attachment.html>

More information about the Oisf-users mailing list