[Snort-users] Spade and High CPU usage

James Hoagland hoagland at ...47...
Fri Apr 20 15:41:16 EDT 2001


At 12:00 PM -0500 4/20/01, Steve Halligan wrote:
>I am running the latest version of spp_anonsensor.c and snort is hovering at
>between 35 and 80% CPU.  I also noticed that my dropped packets has
>increased from 0.005% to 19%.  This is on an OBSD 2.8 box with a celeron
>333.  Is this to be expected?  If so, what processor speed is needed to keep
>up with spade?

I've never seen anything close to that slow of performance with Spade 
(then again I've never run it on a celeron).  Spade only looks at 
SYNs and I've had it churn through about 1.5 million SYNs in about 2 
minutes (no snort rules or other plugins running in that test) on a 
modest machine.  Efficiency was one of the design goals for core 
Spade.

Do you have the survey mode on?  That was not designed for efficiency 
and the (cumulative) time it takes is O(n^2) on the number of SYN 
packets recorded in the specified time interval.

Checkpointing takes a few seconds (more if there is more variety of 
traffic on your network) when it runs and dumps its state to a file, 
so if you have the frequency too high then that could cause problems. 
The default is pretty low frequency though.

For improved efficiency, you can also use a fixed threshold rather 
than one of the threshold adapting modes.  After you have observed 
Spade's output for a while and if your network does not change its 
characteristics too often, you can probably figure out a good 
threshold to use.

Hope this helps,

   Jim

-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|




More information about the Snort-users mailing list