Barnyard2 100% CPU

melvinlusk

In case anyone is interested, Suricata is available with pfSense release 2.2.6.  Barnyard2 doesn't have the 100% CPU problem when used with Suricata instead of Snort.

Azgarech

I still do have the error with suricata and the new version of Pfsense

melvinlusk

Interesting…..so you're using Suricata and Barnyard and seeing 100% Barnyard usage?

You don't have both Surcata and Snort enabled do you?

Azgarech

@melvinlusk:

Interesting…..so you're using Suricata and Barnyard and seeing 100% Barnyard usage?

You don't have both Surcata and Snort enabled do you?

Unfortunetly I have only Suricata and Barnyard2 on. nothing as snort in process.

I am going to try to restart during the week see if it's changing anything.

melvinlusk

I know this is an old thread, but I was having some unrelated issues with Suricata and decided to switch to the latest version of Snort (3.2.9.6_1 on pfSense 2.4.3) and it appears to no longer have the 100% CPU issue.

bmeeks

@melvinlusk:

I know this is an old thread, but I was having some unrelated issues with Suricata and decided to switch to the latest version of Snort (3.2.9.6_1 on pfSense 2.4.3) and it appears to no longer have the 100% CPU issue.

I bet it will come back (the 100% CPU utilization issue).  It's a problem within the Barnyard2 code, and that code has not been updated on FreeBSD for several years.

Bill

melvinlusk

We'll have to wait and see.  I'll keep an eye on it.

melvinlusk

It's been at least a week and I haven't seen the issue reoccur.

One thing to note is that I started with a fresh database.  I didn't see any trouble SQL when looking at this originally, but I'm wondering if there was "bad" data in my DB which was causing Barnyard2 to chew through information that it couldn't necessarily handle.

I'll try to keep everyone posted as I build up more data from Snort….it's been a fun challenge.  :D

bmeeks

@melvinlusk:

It's been at least a week and I haven't seen the issue reoccur.

One thing to note is that I started with a fresh database.  I didn't see any trouble SQL when looking at this originally, but I'm wondering if there was "bad" data in my DB which was causing Barnyard2 to chew through information that it couldn't necessarily handle.

I'll try to keep everyone posted as I build up more data from Snort….it's been a fun challenge.  :D

What I determined in my research is that as data accumlates Barnyard2 starts to have issues with its SQL statements.  Another thing that would pop up would be primary key violation errors if the order of REFERENCES in a rule changed or if a new REFERENCE was added.  So both problems are related to how Barnyard2 interracts with MySQL.

Bill

melvinlusk

I may have stumbled across a root cause.

I enabled the Snort VRT rules, and as soon as I did CPU usage shot up through the roof and stayed there.  Disabling VRT and restarting Snort corrected it.

I can't remember if the VRT rules are available in Suricata.  If they aren't, that may explain why I wasn't seeing the problem with Barnyard when using that instead of Snort.

What's different about VRT? Is there something with that ruleset that could cause this?

I'll keep an eye on things and let you guys know how things progress.

And as always, thanks bmeeks for your contributions  :D