[Snort-users] CPU usage grow to max

Martin Roesch roesch at ...1935...
Wed Jan 30 12:56:04 EST 2002


The MySQL plugin has been known to do that, Roman might be the guy to
help you out there.

    -Marty

Alessandro Fiorenzi wrote:
> 
> > What output modes are you using?
> >
> >     -Marty
> 
> I am using output on mysql, and syslog.
> with top I have this:
> 
>   9:01am  up 10 days, 23:17,  1 user,  load average: 0.87, 0.74, 0.55
> 44 processes: 41 sleeping, 3 running, 0 zombie, 0 stopped
> CPU0 states: 98.0% user,  1.0% system,  0.0% nice,  0.0% idle
> CPU1 states:  0.1% user,  0.0% system,  0.0% nice, 99.0% idle
> Mem:   255152K av,  251832K used,    3320K free,       0K shrd,   29460K
> buff
> Swap:  128480K av,    1636K used,  126844K free                  124632K
> cached
> 
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
>  1050 root      16   0  6996 6996  1152 R    99.6  2.7  7426m snort
> 18693 admin     10   0  1076 1076   864 R     1.9  0.4   0:00 top
>     1 root       8   0   544  544   472 S     0.0  0.2   0:04 init
>     2 root       8   0     0    0     0 SW    0.0  0.0   0:00 keventd
>     3 root       9   0     0    0     0 SW    0.0  0.0   0:03 kswapd
>     4 root       9   0     0    0     0 SW    0.0  0.0   0:00 kreclaimd
>     5 root       9   0     0    0     0 SW    0.0  0.0   0:00 bdflush
>     6 root       9   0     0    0     0 SW    0.0  0.0   0:00 kupdated
>     7 root      -1 -20     0    0     0 SW<   0.0  0.0   0:00 mdrecoveryd
>   609 root       9   0   588  588   488 S     0.0  0.2   0:15 syslog
> 
> and with vmstat I have the following:
> 
> [admin at ...4731... admin]$ vmstat 1
>    procs                      memory    swap          io     system
>     cpu
>  r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us
>  sy  id
>  1  0  0   1636   3408  29472 124652   0   0     0     0   16     2   1
>   1   8
>  1  0  0   1636   3412  29472 124652   0   0     0     0  713   162  37
>   1  62
>  1  0  0   1636   3404  29472 124652   0   0     0     0  775   137  42
>   0  58
>  0  0  0   1636   3404  29472 124652   0   0     0     0  781   290  38
>   0  62
>  1  0  0   1636   3412  29472 124652   0   0     0     0  895   222  38
>   2  60
>  1  0  0   1636   3412  29472 124652   0   0     0     0  952    90  46
>   0  54
>  0  0  0   1636   3404  29472 124652   0   0     0     0  740   233  34
>   0  66
>  1  0  0   1636   3412  29472 124652   0   0     0     4  801   305  36
>   2  62
>  0  0  0   1636   3404  29472 124652   0   0     0     1  872   106  44
>   0  56
>  1  0  0   1636   3412  29472 124652   0   0     0     0 1142    12  50
>   0  50
>  1  0  0   1636   3412  29472 124652   0   0     0     0  991     8  49
>   1  50
>  1  0  0   1636   3412  29472 124652   0   0     0     0 1001     8  50
>   0  50
>  1  0  0   1636   3412  29472 124652   0   0     0     0  854   194  40
>   1  58
>  1  0  0   1636   3412  29472 124652   0   0     0     0  797    88  44
>   0  56
>  1  0  0   1636   3412  29472 124652   0   0     0     0  823    82  42
>   0  58
>  1  0  0   1636   3412  29472 124652   0   0     0     0  761   256  36
>   0  64
>  1  0  0   1636   3404  29472 124652   0   0     0     0  840   225  39
>   0  61
>  1  0  0   1636   3412  29472 124652   0   0     0     8  727   297  35
>   0  65
>  1  0  0   1636   3412  29472 124652   0   0     0     0 1161    46  49
>   0  51
>  1  0  0   1636   3412  29472 124652   0   0     0     0 1066    26  49
>   0  51
> 
> So I have no I/O problem but cpu usage problem, bandwith is 16Mbit with
> an usage of 8-12Mbit.
> 
> rtin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
> > Sourcefire: Professional Snort Sensor and Management Console appliances
> > roesch at ...1935... - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> 
> >
> > On 1/29/02 12:11 PM, "Alessandro Fiorenzi" <a.iorenzi at ...2470...> wrote:
> >
> > > Hi, I have installed a snort sensor on a Pentium III 733MHz to monitor 3
> > > C class traffic, but I see everytime cpu usage 100% is it possible?
> > > On this machine I have two processor but snort use only one processor,
> > > is there any way to use two processor?

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list