[Snort-devel] old problem seems back
Lawrence.Reed at ...1489...
Thu Oct 17 08:42:03 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
This sounds like a problem I had in the 1.9.0beta? releases. The work
around was to disable spp_portscan2. Now that I am running 2.0 I am
having the problem again. Disabling spp_portscan2 again fixes it. As a
better solution I am currently running 2.0 with the spp_portscan2.c file
from 1.9.0. No problems yet.
Kreimendahl, Chad J wrote:
|I'm not sure if anyone else experienced this in the past, but for us
|it's come back again. There is a system on which we run multiple
|instances of snort, some of which get high amounts of packets flying
|their way every so often. If the CPU utilization is at 100% for
|extended periods of time, one or several of the snort processes will
|begin to hijack the CPU and try to steal ALL of its cycles. Currently
|it's not based on whether or not it was the snort that started the CPU
|usage with all the packets, it's just random. Now, I say this having to
|note one other thing. Along with this wonderful use of resources comes
|a failing of snort to log any of the alerts.
|We had this problem in the past and at some point in the stages between
|1.8.x and 1.9 it went away. The only changes we've made is to change
|the binary to v2 beta... And add the two config file lines:
|config detection: no_stream_inserts, search-method mwm
|preprocessor HttpFlow: ports 80 3128 8080 depth 255
|Any code get left in sourcefires set unupdated from the other changes
|going on? Anything (debugging, stats output, stuff like that) we can do
|On the good side of things: The load on our systems was cut in half or
|third of what is commonly seen, as well as many other improvements, such
|as CPU utilization.
|Anyway, it all seems somewhat random, this occurrence... And we'd be
|more than willing to help by changing some things and testing. Would be
|curious to hear if anyone else has experienced a problem such as this.
|This sf.net email is sponsored by:ThinkGeek
|Welcome to geek heaven.
|Snort-devel mailing list
|Snort-devel at lists.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Snort-devel