Suricata / ips running high load

Bill_Ny · August 25, 2025, 5:19am

Any reason why suricata would run away like this?
I have it now only running on 1 vlan, running low/medium block /notification.

Route10 was handling 4 vlans very well before. But if I run it at all everyone noticed slower network speeds.

Thanks,
-b

– From Top–
Mem: 865780K used, 136536K free, 18528K shrd, 348888K buff, 24368K cached
CPU: 24% usr 0% sys 0% nic 73% idle 0% io 0% irq 0% sirq

Load average: 12.67 6.38 2.95 3/131 3229
PID PPID USER STAT VSZ %VSZ %CPU COMMAND
3126 3121 root R 341m 35% 25% {suricata-update} /usr/bin/python3 /usr/bin/suricata-update --fail --no-test
10480 1 root SN 23160 2% 1% /usr/sbin/rcstats
24159 1 root S 1780 0% 0% /bin/sh /usr/sbin/mwan3track wan
9432 1 root S 1100 0% 0% /usr/bin/fiber_led

jmszuch · August 25, 2025, 1:17pm

I have IDS/IPS running on a few sites and haven’t had anyone report any slowness, but I’ll try to take a look and see if any of the CPU load looks high when the day gets a bit busier

ebuckland81 · August 25, 2025, 2:53pm

It seems like it is an update process…so not likely the main process. Does it keep on running for long or only a short spike? If it hangs and runs indefinitely, then it is an issue of course.

Hefty · August 25, 2025, 9:51pm

I’m seeing the same on one of my Route 10’s very high load average (10+), suricata running away. Only checked as router had 2 random unexplained reboots today, saw this post, wondered if it was related.

Bill_Ny · August 26, 2025, 1:18am

Another issue I am seeing is, after some time logging only shows dnsmasg messages.
Nothing else is logged until I kill klogd process and then it runs fine for an hour or so.

Alta-Jeff · August 26, 2025, 4:33am

Suricata does give the system a high load while it is starting, for about 1 minute. This is expected, then it will settle down once it has completed initialization.