[Snort-users] Snort running at 99% CPU

Phil Wood cpw at ...440...
Sun Nov 4 19:12:03 EST 2001


I've seen the mysql server fill up a partition.
As a consequence, snort will hang a read, I guess waiting for the result
of some post.  When this event happens you can watch snort with something
like strace -p pid.  It don't make a move, no how.

On Sun, Nov 04, 2001 at 01:00:08AM -0500, Martin Roesch wrote:
> Ok, if this isn't a FAQ yet it should be.  This happens frequently when
> Snort is setup with MySQL support.  I'm not 100% sure of the reason why
> still, but there is a correlation between 99% CPU utilization on
> Snort+MySQL and Linux.  You might think about trying out barnyard or a
> different database as a solution.
> 
>      -Marty
> 
> Blake Frantz wrote:
> > 
> > Snort is consuming 99% CPU on a:
> > 
> > model name      : Pentium III (Coppermine)
> > stepping        : 10
> > cpu MHz         : 931.013
> > cache size      : 256 KB
> > 
> > MemTotal:      1157752 kB
> > MemFree:       1039896 kB
> > 
> > Version 1.8.1-RELEASE (Build 74)
> > compiled with mysql support.
> > 
> > Sniffing a 100mbit wire, no packets dropping.
> > 
> > I was running snort in the same place with a celeron and the CPU never
> > reached 99% (that was snort 1.8.0 (?) I think).  Same compile options.
> > 
> > Any ideas ?
> > 
> > -Blake
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...1935... - http://www.sourcefire.com  
> Snort: Open Source Network IDS - http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list