[Snort-devel] High CPU utilization

Sjsnort sjsnort at ...398...
Sun May 27 23:29:08 EDT 2001


I picked up the conf from whitehats and added some stuff from the 1.7 conf,
so almost all preprocessors.. This is what it looks like :-
---snip------
var INTERNAL ii.ii.ii.ii/16
var EXTERNAL !$INTERNAL
var DNS_SERVERS
[xx.xx.xx.xx/32,yy.yy.yy.yy/32,zz.zz.zz.zz/32,aa.aa.aa.aa/32,bb.bb.bb.bb/32]

# add preprocessors here
preprocessor minfrag: 256
preprocessor defrag
preprocessor stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
preprocessor telnet_decode
preprocessor http_decode: 80
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor portscan: $INTERNAL 5 5 portscan
preprocessor portscan-ignorehosts: $DNS_SERVERS

var SPADEDIR /sw/trons/spade
preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet: ii.i.ii.ii/16
preprocessor spade-threshlearn: 200 24
preprocessor spade-survey:  $SPADEDIR/survey.txt 60
preprocessor spade-stats: entropy uncondprob condprob

# based on proposed ietf classification
# low
config classification: not-suspicious,Not Suspicious Traffic,0
config classification: unknown,Unknown Traffic,1
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,3
# medium
config classification: attempted-recon,Attempted Information Leak,4
config classification: attempted-dos,Attempted Denial of Service,5
config classification: attempted-user,Attempted User Privilege Gain,6
config classification: attempted-admin,Attempted Administrator Privilege
Gain,7
# high
config classification: successful-recon-limited,Information Leak,8
config classification: successful-recon-largescale,Large Scale Information
Leak,9
config classification: successful-dos,Denial of Service,10
config classification: successful-user,Successful User Privilege Gain,11
config classification: successful-admin,Successful Administrator Privilege
Gain,12

output database: alert, mysql, user=user password=xxxx dbname=trons
host=localhost
output alert_full: alert

....lots of rules, whitehats style ........
----snip--------------


Siddhartha


----- Original Message -----
From: "Fyodor" <fygrave at ...1...>
To: "Sjsnort" <sjsnort at ...398...>
Sent: Sunday, May 27, 2001 4:13 PM
Subject: Re: [Snort-devel] High CPU utilization


> hmm.. which preprocessors are on? :)
>
> On Sun, May 27, 2001 at 01:25:03PM +0530, Sjsnort wrote:
> > Hi,
> >
> > I built Snort-1.8 beta5 Build 24 and updated it from the CVS repository.
I
> > am getting about 30% CPU utilization for about 2 Mbps on a Dual-CPU
450-MHz
> > UltraSparc-II box with 1 GB of RAM. I also run Snort 1.7 on the same box
> > which is consuming 15% CPU for the same traffic. The rules are from
> > arachnids with a few commented out and the both processes logging to a
Mysql
> > database on the same server.
> >
> > I think the CPU utilization is too high. At this rate, for even traffics
> > like 10 Mbps, i will have to get really powerful machines or face an
evasion
> > attack.
> >
> > Regards,
> >
> > Siddhartha
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> >
>
> --
> http://www.notlsd.net
> PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-devel mailing list