[Snort-devel] CPU killing in build 24

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Thu Nov 7 08:13:09 EST 2002


On some of our systems we use snort2.... The snort2 build we're using is
10.  We had rebuilt from build 1 to solve the problem that is now
occuring again in build 24.

I believe in the past the problem was related to something in portscan2,
as well as some changes that were overwritten when the snort2 code was
merged.  I can't seem to find those problems being overwritten again,
and we're not even using portscan2 or conversation on the problem
snort2s.  Yesterday we compiled and installed snort2 build 24 on our
test systems... And discovered that after a random period of time
(usually greater than a few minutes), the snort2-24 was sucking down
every ounce of CPU it could get, while not processing any incoming data.
We have some fairly regular attempts that hit our test machines, so when
the logging stopped, I checked the graphs for our CPU usage and found
that they correlated to the same time.

We're using:
search-method mwm
Stream4 (reassemble both, ports all)
http_decode
HttpFlow
rpc_decode
telnet_decode
bo

And the latest set of rules from cvs.




More information about the Snort-devel mailing list