100%CPU on all cores [ solved ]

Dear,

Despite setting threads: 3 and other performance optimisations derived from https://suricata.readthedocs.io/en/suricata-5.0.4/performance/index.html

The suricata threads consume 100% across all cores for a modest 120Mbps spread across 8 interfaces. Of which 90Mbps is on a single interface.

Using runmode: workers with cluster-type: cluster_flow

encryption-handling was set to bypass

Below is the suricata config i came up with which does appear to provide good performance on a system with 32GB ram. Notice performance, therefor not accuracy or effective detection.

%YAML 1.1
---



vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    VXLAN_PORTS: 4789

default-log-dir: /var/log/suricata/

stats:
  enabled: yes
  interval: 8

outputs:
  - fast:
      enabled: yes
      filename: fast.log
      append: yes

  - eve-log:
      enabled: yes
      filename: eve.json

      pcap-file: false

      community-id: false
      community-id-seed: 0

      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For

      types:
        - alert:
            tagged-packets: yes
        - anomaly:
            enabled: yes
            types:
        - http:
        - dns:
        - tls:
        - files:
        - smtp:
        - ftp
        - rdp
        - nfs
        - smb
        - tftp
        - ikev2
        - krb5
        - snmp
        - sip
        - dhcp:
            enabled: yes
            extended: no
        - ssh
        - stats:
        - flow

  - unified2-alert:
      enabled: no

  - http-log:
      enabled: no
      filename: http.log
      append: yes

  - tls-log:
      append: yes

  - tls-store:
      enabled: no

  - pcap-log:
      enabled: no
      filename: log.pcap

      limit: 1000mb
      max-files: 2000

      compression: none

  - alert-debug:
      enabled: no
      filename: alert-debug.log
      append: yes

  - alert-prelude:
      enabled: no
      profile: suricata
      log-packet-content: no
      log-packet-header: yes

  - stats:
      enabled: yes
      filename: stats.log

  - syslog:
      enabled: no
      facility: local5

  - drop:
      enabled: no

  - file-store:
      version: 2
      enabled: no
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For

  - file-store:
      enabled: no

  - tcp-data:
      enabled: no
      type: file
      filename: tcp-data.log

  - http-body-data:
      enabled: no
      type: file
      filename: http-data.log

  - lua:
      enabled: no
      scripts:

logging:
  default-log-level: notice
  default-output-filter:

  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

af-packet:
  - interface: eth0
    cluster-id: 90
    cluster-type: cluster_flow
    defrag: yes
  - interface: default
    threads: 3

pcap:
  - interface: eth0
  - interface: default

pcap-file:
  checksum-checks: auto

app-layer:
  protocols:
    krb5:
      enabled: yes
    snmp:
      enabled: yes
    ikev2:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: 443

      ja3-fingerprints: auto
      encryption-handling: bypass

    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    rdp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
      raw-extraction: no
      mime:
        decode-mime: yes

        decode-base64: yes
        decode-quoted-printable: yes

        header-value-depth: 2000

        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445

    nfs:
      enabled: yes
    tftp:
      enabled: yes
    dns:
      global-memcap: 4gb
      state-memcap: 1mb

      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes

      libhtp:
         default-config:
           personality: IDS
           request-body-limit: 1mb
           response-body-limit: 1mb
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb
           response-body-decompress-layer-limit: 2

           http-body-inline: auto

           swf-decompression:
             enabled: yes
             type: both
             compress-depth: 0
             decompress-depth: 0

           double-decode-path: no
           double-decode-query: no


         server-config:



    modbus:
      enabled: no
      detection-ports:
        dp: 502

      stream-depth: 0

    dnp3:
      enabled: no
      detection-ports:
        dp: 20000

    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818

    ntp:
      enabled: yes

    dhcp:
      enabled: yes

    sip:
      enabled: yes

asn1-max-frames: 256

coredump:
  max-dump: unlimited

host-mode: auto

max-pending-packets: 65000

runmode: workers

unix-command:
  enabled: auto

legacy:
  uricontent: enabled

engine-analysis:
  rules-fast-pattern: yes
  rules: yes

pcre:
  match-limit: 3500
  match-limit-recursion: 1500

host-os-policy:
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: []
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

defrag:
  memcap: 1gb
  hash-size: 65536
  prealloc: yes
  timeout: 60

flow:
  memcap: 2gb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

vlan:
  use-for-tracking: true

flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50

stream:
  memcap: 4gb
  reassembly:
    memcap: 8gb
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    segment-prealloc: 200000

host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32mb

decoder:
  teredo:
    enabled: true
  vxlan:
    enabled: true

detect:
  profile: high
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000

  prefilter:
    default: auto

  grouping:

  profiling:
    grouping:
      dump-to-disk: false
      include-mpm-stats: false

mpm-algo: hs
spm-algo: hs

threading:
  set-cpu-affinity: no
  cpu-affinity:
    - management-cpu-set:
    - receive-cpu-set:
    - worker-cpu-set:
        cpu: [ "2-7" ]
        mode: "exclusive"
        prio:
          low: [ 0 ]
          medium: [ "2-5" ]
          high: [ "6-7" ]
          default: "medium"
  detect-thread-ratio: 1.6

luajit:
  states: 128

profiling:

  rules:
    enabled: yes
    filename: rule_perf.log
    append: yes


    limit: 10
    json: yes

  keywords:
    enabled: yes
    filename: keyword_perf.log
    append: yes

  prefilter:
    enabled: yes
    filename: prefilter_perf.log
    append: yes

  rulegroups:
    enabled: yes
    filename: rule_group_perf.log
    append: yes

  packets:
    enabled: yes
    filename: packet_stats.log
    append: yes

    csv:
      enabled: no
      filename: packet_stats.csv

  locks:
    enabled: no
    filename: lock_stats.log
    append: yes

  pcap-log:
    enabled: no
    filename: pcaplog_stats.log
    append: yes

nfq:

nflog:
  - group: 2
    buffer-size: 18432
  - group: default
    qthreshold: 1
    qtimeout: 100
    max-size: 20000

capture:

netmap:
 - interface: eth2
 - interface: default

pfring:
  - interface: eth0
    threads: auto

    cluster-id: 99
    cluster-type: cluster_flow

  - interface: default

ipfw:

napatech:
    streams: ["0-3"]
    auto-config: yes
    ports: [all]
    hashmode: hash5tuplesorted


default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

include: rocknsm-overrides.yaml