Suricata: How many Suricata processes should be seen?
-
I recently started using suricata package and noticed that after a reboot there are 3 processes running with that name. Every time I reboot the same result. Is it because the suricata process forks or something or is this an indication that it did actually launch 3 suricata programs?
2.3.1-RELEASE (i386)
built on Tue May 17 18:46:37 CDT 2016
FreeBSD 10.3-RELEASE-p3suricata 3.0_7
last pid: 19715; load averages: 0.26, 0.55, 0.42 up 0+00:10:21 21:43:36 125 processes: 3 running, 105 sleeping, 17 waiting Mem: 609M Active, 43M Inact, 85M Wired, 52M Buf, 206M Free Swap: 2048M Total, 2048M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU COMMAND 11 root 155 ki31 0K 8K RUN 4:18 83.59% [idle] 95064 root 24 0 616M 574M uwait 0:22 7.37% /usr/local/bin/suricata -i rl0 -D -c /usr/loc 275 root 37 0 85480K 29612K piperd 0:07 7.37% php-fpm: pool nginx (php-fpm) 274 root 52 0 85480K 30284K accept 0:07 0.49% php-fpm: pool nginx (php-fpm) 95064 root 20 0 616M 574M uwait 0:01 0.20% /usr/local/bin/suricata -i rl0 -D -c /usr/loc 95064 root 20 0 616M 574M RUN 3:16 0.00% /usr/local/bin/suricata -i rl0 -D -c /usr/loc 0 root -16 - 0K 88K swapin 0:47 0.00% [kernel{swapper}] 273 root 52 0 85480K 27960K accept 0:06 0.00% php-fpm: pool nginx (php-fpm) 12 root -92 - 0K 136K WAIT 0:05 0.00% [intr{irq12: rl0 uhci0}] 12 root -92 - 0K 136K WAIT 0:03 0.00% [intr{irq10: rl1}] 17767 root 20 0 10236K 1904K bpf 0:01 0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/r 82504 root 20 0 10152K 1880K select 0:01 0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/ 39040 nobody 20 0 11340K 3820K select 0:01 0.00% [dnsmasq] 5 root -16 - 0K 8K pftm 0:01 0.00% [pf purge] 12 root -60 - 0K 136K WAIT 0:01 0.00% [intr{swi4: clock}] 46791 root 52 20 10460K 2016K wait 0:00 0.00% /bin/sh /var/db/rrd/updaterrd.sh 4 root -16 - 0K 16K - 0:00 0.00% [cam{doneq0}] 15 root -16 - 0K 8K - 0:00 0.00% [rand_harvestq] -
I recently started using suricata package and noticed that after a reboot there are 3 processes running with that name. Every time I reboot the same result. Is it because the suricata process forks or something or is this an indication that it did actually launch 3 suricata programs?
2.3.1-RELEASE (i386)
built on Tue May 17 18:46:37 CDT 2016
FreeBSD 10.3-RELEASE-p3suricata 3.0_7
last pid: 19715; load averages: 0.26, 0.55, 0.42 up 0+00:10:21 21:43:36 125 processes: 3 running, 105 sleeping, 17 waiting Mem: 609M Active, 43M Inact, 85M Wired, 52M Buf, 206M Free Swap: 2048M Total, 2048M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU COMMAND 11 root 155 ki31 0K 8K RUN 4:18 83.59% [idle] 95064 root 24 0 616M 574M uwait 0:22 7.37% /usr/local/bin/suricata -i rl0 -D -c /usr/loc 275 root 37 0 85480K 29612K piperd 0:07 7.37% php-fpm: pool nginx (php-fpm) 274 root 52 0 85480K 30284K accept 0:07 0.49% php-fpm: pool nginx (php-fpm) 95064 root 20 0 616M 574M uwait 0:01 0.20% /usr/local/bin/suricata -i rl0 -D -c /usr/loc 95064 root 20 0 616M 574M RUN 3:16 0.00% /usr/local/bin/suricata -i rl0 -D -c /usr/loc 0 root -16 - 0K 88K swapin 0:47 0.00% [kernel{swapper}] 273 root 52 0 85480K 27960K accept 0:06 0.00% php-fpm: pool nginx (php-fpm) 12 root -92 - 0K 136K WAIT 0:05 0.00% [intr{irq12: rl0 uhci0}] 12 root -92 - 0K 136K WAIT 0:03 0.00% [intr{irq10: rl1}] 17767 root 20 0 10236K 1904K bpf 0:01 0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/r 82504 root 20 0 10152K 1880K select 0:01 0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/ 39040 nobody 20 0 11340K 3820K select 0:01 0.00% [dnsmasq] 5 root -16 - 0K 8K pftm 0:01 0.00% [pf purge] 12 root -60 - 0K 136K WAIT 0:01 0.00% [intr{swi4: clock}] 46791 root 52 20 10460K 2016K wait 0:00 0.00% /bin/sh /var/db/rrd/updaterrd.sh 4 root -16 - 0K 16K - 0:00 0.00% [cam{doneq0}] 15 root -16 - 0K 8K - 0:00 0.00% [rand_harvestq]One instance of Suricata per configured interface (meaning interfaces where Suricata is enabled).
Bill
-
Every system that I have Suricata running on (5 right now… 2 clusters and 1 individual system) has a bunch of suricata processes running on them. Not one of them only has one. On each of them I am only running it on the WAN interface. A couple have about 9 of them running.
last pid: 17454; load averages: 0.24, 0.43, 0.32 up 0+08:37:04 18:10:55 172 processes: 5 running, 140 sleeping, 27 waiting Mem: 913M Active, 33M Inact, 314M Wired, 260K Cache, 212M Buf, 700M Free Swap: 4096M Total, 37M Used, 4059M Free PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 155 ki31 0K 64K CPU3 3 476:49 100.00% [idle{idle: cpu3}] 11 root 155 ki31 0K 64K CPU0 0 496:58 98.68% [idle{idle: cpu0}] 11 root 155 ki31 0K 64K CPU1 1 487:49 98.49% [idle{idle: cpu1}] 11 root 155 ki31 0K 64K RUN 2 489:29 97.07% [idle{idle: cpu2}] 11783 root 28 0 262M 22468K piperd 3 0:01 3.27% php-fpm: pool nginx (php-fpm) 97190 root 21 0 1018M 898M uwait 2 0:05 2.10% /usr/local/bin/suricata -i em1 -D -c /usr/ 97190 root 20 0 1018M 898M uwait 3 0:01 0.10% /usr/local/bin/suricata -i em1 -D -c /usr/ 0 root -92 - 0K 256K - 0 5:19 0.00% [kernel{em0 taskq}] 0 root -92 - 0K 256K - 2 3:51 0.00% [kernel{em1 taskq}] 97190 root 20 0 1018M 898M nanslp 1 2:52 0.00% /usr/local/bin/suricata -i em1 -D -c /usr/ 12 root -60 - 0K 432K WAIT 0 2:19 0.00% [intr{swi4: clock}] 15 root -16 - 0K 16K - 0 1:04 0.00% [rand_harvestq] 0 root -16 - 0K 256K swapin 0 0:44 0.00% [kernel{swapper}] 12 root -92 - 0K 432K WAIT 1 0:38 0.00% [intr{irq16: em0 uhci0}] 88952 root 20 0 14508K 1924K select 2 0:28 0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/v 25307 nobody 20 0 30184K 2536K select 2 0:24 0.00% [dnsmasq] 5 root -16 - 0K 16K pftm 0 0:19 0.00% [pf purge] 37837 root 52 20 17000K 852K wait 3 0:10 0.00% /bin/sh /var/db/rrd/updaterrd.sh -
I just realized they are all the same process id so it must be threads or something. If I do a 'ps aux' from the command prompt I only see 1. I was viewing it with the GUI using System Activity. I guess it reports threads or something too. I should have looked more closely at the process ids before posting :).
-
Suricata seems to allocate 1.5 detection threads per core. So on my Firewall with 4 cores, I get 6 detection threads and a management thread making 7 for a single LAN interface.
More information in the Threading sections here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
