[Snort-devel] old problem seems back

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Fri Oct 11 22:17:01 EDT 2002


I'm not sure if anyone else experienced this in the past, but for us
it's come back again.  There is a system on which we run multiple
instances of snort, some of which get high amounts of packets flying
their way every so often.  If the CPU utilization is at 100% for
extended periods of time, one or several of the snort processes will
begin to hijack the CPU and try to steal ALL of its cycles.  Currently
it's not based on whether or not it was the snort that started the CPU
usage with all the packets, it's just random.  Now, I say this having to
note one other thing.  Along with this wonderful use of resources comes
a failing of snort to log any of the alerts.

We had this problem in the past and at some point in the stages between
1.8.x and 1.9 it went away.  The only changes we've made is to change
the binary to v2 beta... And add the two config file lines:

config detection: no_stream_inserts, search-method mwm
preprocessor HttpFlow: ports 80 3128 8080 depth 255

Any code get left in sourcefires set unupdated from the other changes
going on? Anything (debugging, stats output, stuff like that) we can do
to help?

On the good side of things:  The load on our systems was cut in half or
third of what is commonly seen, as well as many other improvements, such
as CPU utilization.  

Anyway, it all seems somewhat random, this occurrence... And we'd be
more than willing to help by changing some things and testing.  Would be
curious to hear if anyone else has experienced a problem such as this.




More information about the Snort-devel mailing list