[Snort-users] Snort running at 99% CPU

Martin Roesch roesch at ...1935...
Mon Nov 5 07:17:04 EST 2001


I think this happens before the disk fills up, I've seen it way to often
for it to be something as simple as that.  The best way to "fix" this
problem is to just run Barnyard, but that's just my opinion. :)

     -Marty

Phil Wood wrote:
> 
> I've seen the mysql server fill up a partition.
> As a consequence, snort will hang a read, I guess waiting for the result
> of some post.  When this event happens you can watch snort with something
> like strace -p pid.  It don't make a move, no how.
> 
> On Sun, Nov 04, 2001 at 01:00:08AM -0500, Martin Roesch wrote:
> > Ok, if this isn't a FAQ yet it should be.  This happens frequently when
> > Snort is setup with MySQL support.  I'm not 100% sure of the reason why
> > still, but there is a correlation between 99% CPU utilization on
> > Snort+MySQL and Linux.  You might think about trying out barnyard or a
> > different database as a solution.
> >
> >      -Marty
> >
> > Blake Frantz wrote:
> > >
> > > Snort is consuming 99% CPU on a:
> > >
> > > model name      : Pentium III (Coppermine)
> > > stepping        : 10
> > > cpu MHz         : 931.013
> > > cache size      : 256 KB
> > >
> > > MemTotal:      1157752 kB
> > > MemFree:       1039896 kB
> > >
> > > Version 1.8.1-RELEASE (Build 74)
> > > compiled with mysql support.
> > >
> > > Sniffing a 100mbit wire, no packets dropping.
> > >
> > > I was running snort in the same place with a celeron and the CPU never
> > > reached 99% (that was snort 1.8.0 (?) I think).  Same compile options.
> > >
> > > Any ideas ?
> > >
> > > -Blake
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > --
> > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > roesch at ...1935... - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> Phil Wood, cpw at ...440...

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list