Project

General

Profile

Actions

Bug #3782

closed

Once Suricata enters emergency mode it doe not recover properly

Added by Peter Manev over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using

Suricata version 6.0.0-dev (639f3d265 2020-06-16)

AFPv3 , cluster_flow or clster_qm

In two separate cases (trex and pcap replay) I can reproduce the following:

Once emergency mode is entered, even after "recovery" it seems Suricata never really recovers to a stable state.
I can observe also that after entering the emergency mode there is a lot of cpu usage spent in mutex/pthreads locks functions (using perf top) - and that usage never recovers to normal operation.

Just like on the attached screenshot, before entering emergency mode, the top 3 functions CPU usage are FM/ and the pthread/mutex lock ones. after entering emergency mode , they switch and the mutex/lock functions take over the CPU usage completely.

This is an extreme case with Trex testing on 40G setup where any and all flows are "proper" and last 1-2 seconds but those include file transfers and similar nonetheless. Also the "active flows" are never over 1mil.

Sharing the runs and pcaps in a separate communication.


Files

98_FM.png (179 KB) 98_FM.png Peter Manev, 06/26/2020 07:56 AM
Actions #1

Updated by Victor Julien about 4 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 6.0.0beta1

I believe this issue is fixed by the flow engine changes.

Actions

Also available in: Atom PDF