Project

General

Profile

Actions

Support #2635

closed

Multi-threading not working correctly

Added by FATEMA WALA over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Affected Versions:
Label:

Description

I have been troubleshooting an issue we are having with Suricata's multi-threading.
Some of the tcp based alerts aren't getting triggered when Suricata is running in IDS interface sniffing mode with AF_Packet.

While running it in offline mode, with runmode: single, reading a pcap of some traffic I generated from my laptop (using $curl -A "SearchProtect" http://cnn.com), will fire some alerts (eg: sid: 2022813), which never gets fired when running suricata in packet sniffing mode and generating same traffic from my laptop. I verified that the traffic is reaching the box and not getting dropped on the interface.

I narrowed down the issue to be something to do with how packets are getting distributed in multi-threading mode in suricata, and maybe because of packets re-ordering the tcp based alerts do not get fired often.
I have followed the steps in SepTune doc to pin the Interrupts/IRQs to the specific cpus and use rest as "workers", but no success so far.

Actions #1

Updated by Victor Julien over 5 years ago

  • Tracker changed from Bug to Support
Actions #2

Updated by Andreas Herz over 5 years ago

Can you give us more details about your setup, especially configuration and how you run suricata (commandline)?

Actions #3

Updated by Victor Julien about 5 years ago

Might be related to #2725

Actions #4

Updated by Andreas Herz about 5 years ago

  • Assignee set to FATEMA WALA
  • Target version set to Support
Actions #5

Updated by Andreas Herz almost 5 years ago

  • Status changed from New to Feedback
Actions #6

Updated by Andreas Herz over 4 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF