Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suricata 6.0.8 upgrade will probably fix high(er) cpu load during no or low traffic #6065

Closed
2 tasks done
mjanssens opened this issue Oct 4, 2022 · 4 comments
Closed
2 tasks done

Suricata 6.0.8 upgrade will probably fix high(er) cpu load during no or low traffic #6065

mjanssens opened this issue Oct 4, 2022 · 4 comments
Labels
upstream Third party issue

Comments

@mjanssens
Copy link

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
This is more of a heads up, not a bug. But it seemed important enough to mention to the devs and to track it here too.
More info is in this OPNsense forum thread:
21.7.3_1 - higher system load after upgrade caused by Suricata

Summary:
Since OPNsense 21.7.3 several users experienced significant higher cpu load while intrusion detection was enabled.
This was the first version released with suricata 6.x. (6.0.3)
Suricata 6.x switched from pthread to usleep for flowmanager in release 6.x.

In the most recent suricata release 6.0.8 the devs reverted back to usleep, see [5]

The higher load is noticeable during idling, with no traffic, possibly caused by high context switching. How much the load increases will depend on the kind of hardware and can vary. On virtualized instances of OPNsense and suricata possibly there is an extra increase of the load.

I did several tests with vanilla suricata installs in proxmox with an ubuntu and freebsd vm.
Test results are added in the above linked suricata bug [5]. And they confirmed on my hardware that the load during idle went back at levels of suricata release 5.x.

The ipfire devs are testing 6.0.8 too and see similar results. See [2].

[1] https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
[2] https://bugzilla.ipfire.org/show_bug.cgi?id=12548
[3] https://redmine.openinfosecfoundation.org/issues/4096
[4] https://redmine.openinfosecfoundation.org/issues/4379
[5] https://redmine.openinfosecfoundation.org/issues/4421
@fichtner fichtner added the support Community support label Oct 4, 2022
@fichtner
Copy link
Member

fichtner commented Oct 4, 2022

Thanks for the report although this can already be closed... added to FreeBSD ports and will be in 22.7.5 today.

Cheers,
Franco

@mjanssens
Copy link
Author

Thanks and no problem, I will keep my eye on the responses for 22.7.5 in the forum and of course my own system.

@mjanssens mjanssens changed the title Suricata 6.0.8 upgrade will probaly fix high(er) cpu load during no or low traffic Suricata 6.0.8 upgrade will probably fix high(er) cpu load during no or low traffic Oct 4, 2022
@mjanssens
Copy link
Author

And to confirm it closed, I upgraded to 22.7.5 and idle load is at levels when running suricata 5 and pre opnsense 21.7.3. Nice!

@fichtner fichtner added upstream Third party issue and removed support Community support labels Oct 7, 2022
@fichtner
Copy link
Member

fichtner commented Oct 7, 2022

@mjanssens thanks for reporting back and happy to hear this improved things. Changing label to "upstream" because that fits better.

Also refs: https://forum.opnsense.org/index.php?topic=30585.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream Third party issue
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fichtner @mjanssens