[Snort-devel] High CPU utilization

Martin Roesch roesch at ...402...
Mon May 28 01:35:24 EDT 2001


Feel like editing some code?  Turn off the IP checksum() funtion call in
DecodeIP() call and see if that makes a difference.  This is a fairly
safe thing to so if you're only watching incoming traffic, routers
automatically drop packets with bad IP checksums before your sensor
should be able to see them.  Just comment out the 

csum = checksum((u_short *)p->iph, hlen, (u_short *)NULL, 0);

line and see if that effects performance.

     -Marty


Sjsnort wrote:
> 
> Hi,
> 
> I followed your instructions and here is what i found :-
> 
>  - Turning off minfrag brought down the CPU usage from 27% to 20% (for
> almost the same traffic)
>  - Taking off 32771 didn't make much difference because maybe i don't get
> much traffic to this port and service.
>  - After turning off spade, i couldn't tell the difference.
> 
> All i can say is that i am running 1.7 and 1.8 simultaneously and currently,
> 1.7 is running at 21% and 1.8 is running at 35%. This is slightly better
> than before when 1.8 would be a figure almost double of 1.7
> 
> Siddhartha
> 
> ----- Original Message -----
> From: "Martin Roesch" <roesch at ...402...>
> To: "Sjsnort" <sjsnort at ...398...>
> Cc: "Snort-Devel" <snort-devel at lists.sourceforge.net>
> Sent: Monday, May 28, 2001 9:46 AM
> Subject: Re: [Snort-devel] High CPU utilization
> 
> > Sjsnort wrote:
> > >
> > > I picked up the conf from whitehats and added some stuff from the 1.7
> conf,
> > > so almost all preprocessors.. This is what it looks like :-
> > > ---snip------
> > > var INTERNAL ii.ii.ii.ii/16
> > > var EXTERNAL !$INTERNAL
> > > var DNS_SERVERS
> > >
> [xx.xx.xx.xx/32,yy.yy.yy.yy/32,zz.zz.zz.zz/32,aa.aa.aa.aa/32,bb.bb.bb.bb/32]
> > >
> > > # add preprocessors here
> > > preprocessor minfrag: 256
> >
> > Minfrag is (should be) deprecated, it's functionality can be duplicated
> > using ip protocol rules now.
> >
> > > preprocessor defrag
> > > preprocessor stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes
> 16384
> > > preprocessor telnet_decode
> > > preprocessor http_decode: 80
> > > preprocessor rpc_decode: 111 32771
> >
> > Turn off decode for 32771...
> >
> > > preprocessor bo: -nobrute
> > > preprocessor portscan: $INTERNAL 5 5 portscan
> > > preprocessor portscan-ignorehosts: $DNS_SERVERS
> > >
> > > var SPADEDIR /sw/trons/spade
> > > preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> > > preprocessor spade-homenet: ii.i.ii.ii/16
> > > preprocessor spade-threshlearn: 200 24
> > > preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> > > preprocessor spade-stats: entropy uncondprob condprob
> >
> > This could be degrading your performance, try turning off the SPADE
> > stuff and check the load again.
> >
> > > # based on proposed ietf classification
> > > # low
> > > config classification: not-suspicious,Not Suspicious Traffic,0
> > > config classification: unknown,Unknown Traffic,1
> > > config classification: bad-unknown,Potentially Bad Traffic, 2
> > > config classification: unsuccessful-user,Unsuccessful User Privilege
> Gain,3
> > > # medium
> > > config classification: attempted-recon,Attempted Information Leak,4
> > > config classification: attempted-dos,Attempted Denial of Service,5
> > > config classification: attempted-user,Attempted User Privilege Gain,6
> > > config classification: attempted-admin,Attempted Administrator Privilege
> > > Gain,7
> > > # high
> > > config classification: successful-recon-limited,Information Leak,8
> > > config classification: successful-recon-largescale,Large Scale
> Information
> > > Leak,9
> > > config classification: successful-dos,Denial of Service,10
> > > config classification: successful-user,Successful User Privilege Gain,11
> > > config classification: successful-admin,Successful Administrator
> Privilege
> > > Gain,12
> > >
> > > output database: alert, mysql, user=user password=xxxx dbname=trons
> > > host=localhost
> >
> > This will also send your CPU way up, mysql seems to really get the Snort
> > process hogging the CPU (so to speak). ;)
> >
> >
> >      -Marty
> >
> >
> >
> > > output alert_full: alert
> > >
> > > ....lots of rules, whitehats style ........
> > > ----snip--------------
> > >
> > > Siddhartha
> > >
> > > ----- Original Message -----
> > > From: "Fyodor" <fygrave at ...1...>
> > > To: "Sjsnort" <sjsnort at ...398...>
> > > Sent: Sunday, May 27, 2001 4:13 PM
> > > Subject: Re: [Snort-devel] High CPU utilization
> > >
> > > > hmm.. which preprocessors are on? :)
> > > >
> > > > On Sun, May 27, 2001 at 01:25:03PM +0530, Sjsnort wrote:
> > > > > Hi,
> > > > >
> > > > > I built Snort-1.8 beta5 Build 24 and updated it from the CVS
> repository.
> > > I
> > > > > am getting about 30% CPU utilization for about 2 Mbps on a Dual-CPU
> > > 450-MHz
> > > > > UltraSparc-II box with 1 GB of RAM. I also run Snort 1.7 on the same
> box
> > > > > which is consuming 15% CPU for the same traffic. The rules are from
> > > > > arachnids with a few commented out and the both processes logging to
> a
> > > Mysql
> > > > > database on the same server.
> > > > >
> > > > > I think the CPU utilization is too high. At this rate, for even
> traffics
> > > > > like 10 Mbps, i will have to get really powerful machines or face an
> > > evasion
> > > > > attack.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Siddhartha
> > > > >
> > > > >
> > > > > _________________________________________________________
> > > > > Do You Yahoo!?
> > > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Snort-devel mailing list
> > > > > Snort-devel at lists.sourceforge.net
> > > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > >
> > > >
> > > > --
> > > > http://www.notlsd.net
> > > > PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> > --
> > Martin Roesch
> > roesch at ...402...
> > http://www.sourcefire.com - http://www.snort.org
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list