[Snort-users] Spade and High CPU usage
hoagland at ...47...
Fri Apr 20 15:41:16 EDT 2001
At 12:00 PM -0500 4/20/01, Steve Halligan wrote:
>I am running the latest version of spp_anonsensor.c and snort is hovering at
>between 35 and 80% CPU. I also noticed that my dropped packets has
>increased from 0.005% to 19%. This is on an OBSD 2.8 box with a celeron
>333. Is this to be expected? If so, what processor speed is needed to keep
>up with spade?
I've never seen anything close to that slow of performance with Spade
(then again I've never run it on a celeron). Spade only looks at
SYNs and I've had it churn through about 1.5 million SYNs in about 2
minutes (no snort rules or other plugins running in that test) on a
modest machine. Efficiency was one of the design goals for core
Do you have the survey mode on? That was not designed for efficiency
and the (cumulative) time it takes is O(n^2) on the number of SYN
packets recorded in the specified time interval.
Checkpointing takes a few seconds (more if there is more variety of
traffic on your network) when it runs and dumps its state to a file,
so if you have the frequency too high then that could cause problems.
The default is pretty low frequency though.
For improved efficiency, you can also use a fixed threshold rather
than one of the threshold adapting modes. After you have observed
Spade's output for a while and if your network does not change its
characteristics too often, you can probably figure out a good
threshold to use.
Hope this helps,
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Silicon Defense - Technical Support for Snort *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users