New Install High CPU from Suricata even with practically no trafffic

Stewart

I Installed a new unit a couple of weeks ago and it seemed fine initially. Now, Surcata is practically pegging the CPU even though nobody is even really using it yet. Here is an output of top -aSH:

CPU: 72.0% user,  0.0% nice, 10.8% system, 10.0% interrupt,  7.2% idle
Mem: 867M Active, 885M Inact, 679M Wired, 392M Buf, 1474M Free
Swap: 4096M Total, 4096M Free

  PID USERNAME      PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
74949 root           98    0   342M   222M CPU3    3   1:44  93.42% /usr/local/bin/suricata -i igb2 -D -c /usr/local/etc/suricata/suricata_58265_igb2/suricata.yaml --pidfile /var/run/suricata_igb
96005 root           98    0   633M   574M CPU2    2   1:46  90.95% /usr/local/bin/suricata -i igb1 -D -c /usr/local/etc/suricata/suricata_28922_igb1/suricata.yaml --pidfile /var/run/suricata_igb
74949 root           88    0   342M   222M RUN     1  20:10  56.99% /usr/local/bin/suricata -i igb2 -D -c /usr/local/etc/suricata/suricata_58265_igb2/suricata.yaml --pidfile /var/run/suricata_igb
74949 root           36    0   342M   222M uwait   1   9:43  25.67% /usr/local/bin/suricata -i igb2 -D -c /usr/local/etc/suricata/suricata_58265_igb2/suricata.yaml --pidfile /var/run/suricata_igb
74949 root           31    0   342M   222M uwait   1   7:35  18.45% /usr/local/bin/suricata -i igb2 -D -c /usr/local/etc/suricata/suricata_58265_igb2/suricata.yaml --pidfile /var/run/suricata_igb
74949 root           28    0   342M   222M uwait   3   5:39  14.55% /usr/local/bin/suricata -i igb2 -D -c /usr/local/etc/suricata/suricata_58265_igb2/suricata.yaml --pidfile /var/run/suricata_igb

When this was taken there was only 1 user not even surfing the web. Traffic was in the KBps, very tiny. Blocking is disabled. Any idea what I can start with looking at?

Also, I'm seeing:

   12 root          -92    -     0K   592K WAIT    0 982:23  18.35% [intr{irq266: igb2:que 0}]
   12 root          -92    -     0K   592K WAIT    1  28:53   7.74% [intr{irq262: igb1:que 1}]
   12 root          -92    -     0K   592K WAIT    1  19.5H   5.20% [intr{irq267: igb2:que 1}]
   12 root          -92    -     0K   592K WAIT    3  45:51   3.50% [intr{irq264: igb1:que 3}]
   12 root          -92    -     0K   592K CPU2    2  23.8H   2.73% [intr{irq268: igb2:que 2}]

Are those interrupt requests? Are they related?

bmeeks

You have multiple Suricata processes on the same interface. I count 5 on igb2. There should usually be only 1. Those multiple processes are chewing up your CPU.

Are you by chance trying to run the Service Watchdog package with Suricata? If so, DON"T! It will cause this issue as it does not understand how Suricata works nor how to properly monitor it.

If you don't have Service Watchdog, then something weird is happening on your box (unless you have a lot of VLANs on igb2). If you do have a lot of VLANs on that interface, I would suggest running on the parent only and not each VLAN.

To kill those errant processes (assuming you don't have multiple Suricata-enabled VLANs on igb2), do this.

1. Stop Suricata on whatever interface igb2 is (LAN, WAN or whatever).

2. Look for any remaining Suricata processes using this command:

ps -ax | grep suricata

3. If you see any for interface igb2, then kill them with:

kill -9 <pid>

That should reduce your CPU utilization to almost nothing with no traffic.