[Snort-devel] High CPU utilization

Sjsnort sjsnort at ...398...
Mon May 28 01:30:11 EDT 2001


Hi,

I followed your instructions and here is what i found :-

 - Turning off minfrag brought down the CPU usage from 27% to 20% (for
almost the same traffic)
 - Taking off 32771 didn't make much difference because maybe i don't get
much traffic to this port and service.
 - After turning off spade, i couldn't tell the difference.

All i can say is that i am running 1.7 and 1.8 simultaneously and currently,
1.7 is running at 21% and 1.8 is running at 35%. This is slightly better
than before when 1.8 would be a figure almost double of 1.7

Siddhartha

----- Original Message -----
From: "Martin Roesch" <roesch at ...402...>
To: "Sjsnort" <sjsnort at ...398...>
Cc: "Snort-Devel" <snort-devel at lists.sourceforge.net>
Sent: Monday, May 28, 2001 9:46 AM
Subject: Re: [Snort-devel] High CPU utilization


> Sjsnort wrote:
> >
> > I picked up the conf from whitehats and added some stuff from the 1.7
conf,
> > so almost all preprocessors.. This is what it looks like :-
> > ---snip------
> > var INTERNAL ii.ii.ii.ii/16
> > var EXTERNAL !$INTERNAL
> > var DNS_SERVERS
> >
[xx.xx.xx.xx/32,yy.yy.yy.yy/32,zz.zz.zz.zz/32,aa.aa.aa.aa/32,bb.bb.bb.bb/32]
> >
> > # add preprocessors here
> > preprocessor minfrag: 256
>
> Minfrag is (should be) deprecated, it's functionality can be duplicated
> using ip protocol rules now.
>
> > preprocessor defrag
> > preprocessor stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes
16384
> > preprocessor telnet_decode
> > preprocessor http_decode: 80
> > preprocessor rpc_decode: 111 32771
>
> Turn off decode for 32771...
>
> > preprocessor bo: -nobrute
> > preprocessor portscan: $INTERNAL 5 5 portscan
> > preprocessor portscan-ignorehosts: $DNS_SERVERS
> >
> > var SPADEDIR /sw/trons/spade
> > preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> > preprocessor spade-homenet: ii.i.ii.ii/16
> > preprocessor spade-threshlearn: 200 24
> > preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> > preprocessor spade-stats: entropy uncondprob condprob
>
> This could be degrading your performance, try turning off the SPADE
> stuff and check the load again.
>
> > # based on proposed ietf classification
> > # low
> > config classification: not-suspicious,Not Suspicious Traffic,0
> > config classification: unknown,Unknown Traffic,1
> > config classification: bad-unknown,Potentially Bad Traffic, 2
> > config classification: unsuccessful-user,Unsuccessful User Privilege
Gain,3
> > # medium
> > config classification: attempted-recon,Attempted Information Leak,4
> > config classification: attempted-dos,Attempted Denial of Service,5
> > config classification: attempted-user,Attempted User Privilege Gain,6
> > config classification: attempted-admin,Attempted Administrator Privilege
> > Gain,7
> > # high
> > config classification: successful-recon-limited,Information Leak,8
> > config classification: successful-recon-largescale,Large Scale
Information
> > Leak,9
> > config classification: successful-dos,Denial of Service,10
> > config classification: successful-user,Successful User Privilege Gain,11
> > config classification: successful-admin,Successful Administrator
Privilege
> > Gain,12
> >
> > output database: alert, mysql, user=user password=xxxx dbname=trons
> > host=localhost
>
> This will also send your CPU way up, mysql seems to really get the Snort
> process hogging the CPU (so to speak). ;)
>
>
>      -Marty
>
>
>
> > output alert_full: alert
> >
> > ....lots of rules, whitehats style ........
> > ----snip--------------
> >
> > Siddhartha
> >
> > ----- Original Message -----
> > From: "Fyodor" <fygrave at ...1...>
> > To: "Sjsnort" <sjsnort at ...398...>
> > Sent: Sunday, May 27, 2001 4:13 PM
> > Subject: Re: [Snort-devel] High CPU utilization
> >
> > > hmm.. which preprocessors are on? :)
> > >
> > > On Sun, May 27, 2001 at 01:25:03PM +0530, Sjsnort wrote:
> > > > Hi,
> > > >
> > > > I built Snort-1.8 beta5 Build 24 and updated it from the CVS
repository.
> > I
> > > > am getting about 30% CPU utilization for about 2 Mbps on a Dual-CPU
> > 450-MHz
> > > > UltraSparc-II box with 1 GB of RAM. I also run Snort 1.7 on the same
box
> > > > which is consuming 15% CPU for the same traffic. The rules are from
> > > > arachnids with a few commented out and the both processes logging to
a
> > Mysql
> > > > database on the same server.
> > > >
> > > > I think the CPU utilization is too high. At this rate, for even
traffics
> > > > like 10 Mbps, i will have to get really powerful machines or face an
> > evasion
> > > > attack.
> > > >
> > > > Regards,
> > > >
> > > > Siddhartha
> > > >
> > > >
> > > > _________________________________________________________
> > > > Do You Yahoo!?
> > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel at lists.sourceforge.net
> > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> > >
> > > --
> > > http://www.notlsd.net
> > > PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
>
> --
> Martin Roesch
> roesch at ...402...
> http://www.sourcefire.com - http://www.snort.org


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-devel mailing list