[Snort-devel] High CPU utilization

Martin Roesch roesch at ...402...
Mon May 28 00:16:54 EDT 2001


Sjsnort wrote:
> 
> I picked up the conf from whitehats and added some stuff from the 1.7 conf,
> so almost all preprocessors.. This is what it looks like :-
> ---snip------
> var INTERNAL ii.ii.ii.ii/16
> var EXTERNAL !$INTERNAL
> var DNS_SERVERS
> [xx.xx.xx.xx/32,yy.yy.yy.yy/32,zz.zz.zz.zz/32,aa.aa.aa.aa/32,bb.bb.bb.bb/32]
> 
> # add preprocessors here
> preprocessor minfrag: 256

Minfrag is (should be) deprecated, it's functionality can be duplicated
using ip protocol rules now.

> preprocessor defrag
> preprocessor stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
> preprocessor telnet_decode
> preprocessor http_decode: 80
> preprocessor rpc_decode: 111 32771

Turn off decode for 32771...

> preprocessor bo: -nobrute
> preprocessor portscan: $INTERNAL 5 5 portscan
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> 
> var SPADEDIR /sw/trons/spade
> preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> preprocessor spade-homenet: ii.i.ii.ii/16
> preprocessor spade-threshlearn: 200 24
> preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> preprocessor spade-stats: entropy uncondprob condprob

This could be degrading your performance, try turning off the SPADE
stuff and check the load again.

> # based on proposed ietf classification
> # low
> config classification: not-suspicious,Not Suspicious Traffic,0
> config classification: unknown,Unknown Traffic,1
> config classification: bad-unknown,Potentially Bad Traffic, 2
> config classification: unsuccessful-user,Unsuccessful User Privilege Gain,3
> # medium
> config classification: attempted-recon,Attempted Information Leak,4
> config classification: attempted-dos,Attempted Denial of Service,5
> config classification: attempted-user,Attempted User Privilege Gain,6
> config classification: attempted-admin,Attempted Administrator Privilege
> Gain,7
> # high
> config classification: successful-recon-limited,Information Leak,8
> config classification: successful-recon-largescale,Large Scale Information
> Leak,9
> config classification: successful-dos,Denial of Service,10
> config classification: successful-user,Successful User Privilege Gain,11
> config classification: successful-admin,Successful Administrator Privilege
> Gain,12
> 
> output database: alert, mysql, user=user password=xxxx dbname=trons
> host=localhost

This will also send your CPU way up, mysql seems to really get the Snort
process hogging the CPU (so to speak). ;)


     -Marty



> output alert_full: alert
> 
> ....lots of rules, whitehats style ........
> ----snip--------------
> 
> Siddhartha
> 
> ----- Original Message -----
> From: "Fyodor" <fygrave at ...1...>
> To: "Sjsnort" <sjsnort at ...398...>
> Sent: Sunday, May 27, 2001 4:13 PM
> Subject: Re: [Snort-devel] High CPU utilization
> 
> > hmm.. which preprocessors are on? :)
> >
> > On Sun, May 27, 2001 at 01:25:03PM +0530, Sjsnort wrote:
> > > Hi,
> > >
> > > I built Snort-1.8 beta5 Build 24 and updated it from the CVS repository.
> I
> > > am getting about 30% CPU utilization for about 2 Mbps on a Dual-CPU
> 450-MHz
> > > UltraSparc-II box with 1 GB of RAM. I also run Snort 1.7 on the same box
> > > which is consuming 15% CPU for the same traffic. The rules are from
> > > arachnids with a few commented out and the both processes logging to a
> Mysql
> > > database on the same server.
> > >
> > > I think the CPU utilization is too high. At this rate, for even traffics
> > > like 10 Mbps, i will have to get really powerful machines or face an
> evasion
> > > attack.
> > >
> > > Regards,
> > >
> > > Siddhartha
> > >
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> >
> > --
> > http://www.notlsd.net
> > PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list