21.7.3_1 - higher system load after upgrade caused by Suricata

[carstenp]

After upgrading and rebooting I see my OPNsense virtual install under Proxmox with a higher system load. It's now consistently above 1.0; before the upgrade it was usually around 0.6-ish. IIRC, a load of 1.something isn't crazy high for a 4 core system?

I also notice Suricata (WAN) uses around 17%-20% sustained CPU load. The box has now been running for several hours, and CPU usage has not gone down.

I run Sensei on LAN and the enterprise version of ntopng.

Anyone else seeing higher CPU/system load caused by Suricata? Any chance a future upgrade will lower it again?

Edit: Attached screenshot for OPNsense load before and after upgrade...

[franco]

Might be because of new decoders in major version features? Haven't checked, but likely is an interaction of some sort with activated rules.


Cheers,
Franco

[Olli]

Have the same issue. full ram load and one cpu hight load.
After reboot it was a little better, but i found in the processes:
61047 root         85    0    28M    19M CPU0     0   0:06  98.33% /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.

After deactivate
Reporting -> Netflow -> Capture local
it runs normal without high load. Maybe some incompatibility with the new python 3.8?

[yeraycito]

Opnsense 21.7.3.1  ( Fresh install 21.7 ):

 - Suricata 6 ( wan ), ET Telemetry, all rules active

 - No Sensei

 - No Ntopng

Everything works well.

[rungekutta]

Same thing here. Everything else equal (same rules etc), Suricata went from 10-20% to typically 20-40% CPU. That's on an 8 core Ryzen, so plenty of room left, but the difference is clear pre and post 21.7.3 upgrade.

I've got gigabit WAN and still max it out with IPS enabled, Suricata then uses 300-350% CPU, i.e. the equivalent of pegging 3-4 cores.

[vecchiostupido]

Same problem here, after update Suricata is now up into 80 to 90% of CPU usage, my CPU was hovering for the past 6 months, over multiple updates, around 20 to 30% and now it is averaging around 70 to 80%, with peaks over 90%.
 

[skookum]

I'm also experiencing this issue on a test VM and it's why I haven't upgraded my actual router. Under a Proxmox VM, CPU use is at 60-70% for a 2-core VM consistently even after several hours. As soon as I disable Suricata, it's down to 10%.

[lenny]

same here

[Ypsilon]

Same issue here after upgrading to 21.7.3, so I'm back on 21.7.2

Some searching gave this:

On suricata forum [1]
Also on Ipfire bugtracker [2]
And on suricata bugtracker [3] and [4] and [5]

Seems that the load increase is most noticeable on KVM, also on other type virtual machines, less increase on bare metal install, but there also an increase.

And if this is the same issue, it's not an OPNsense issue but a suricata one.
One of the last posts on [3]  was made by one of the core devs from ipfire offering help, creating [4] for tracking in the suricata 7.x branch as it appears.
But reading [5] still not solved in suricata 6.0.5, possible backport?

[1] https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
[2] https://bugzilla.ipfire.org/show_bug.cgi?id=12548
[3] https://redmine.openinfosecfoundation.org/issues/4096
[4] https://redmine.openinfosecfoundation.org/issues/4379
[5] https://redmine.openinfosecfoundation.org/issues/4421

[HamiltonWDS]

I concur with the increase in CPU utilization, system loading and unstable packet performance with the latest update.
Using a virtual platform (Xenserver) with pass through network interfaces and clean install. Disabling Suricata and Netflow seems to help, but the WAN gateway is unstable (packet losses). Bandwidth also seems to be impacted as well.