[Snort-users] CPU usage grow to max

Michael Anderson mca at ...1717...
Wed Jan 30 13:38:13 EST 2002


I seem to be having the same CPU usage problem.  I even switched my output to unified alert/log and used barnyard to load into MySQL and I still see 99% CPU usage on 1 of my 2
CPUs.

-Mike

Martin Roesch wrote:

> The MySQL plugin has been known to do that, Roman might be the guy to
> help you out there.
>
>     -Marty
>
> Alessandro Fiorenzi wrote:
> >
> > > What output modes are you using?
> > >
> > >     -Marty
> >
> > I am using output on mysql, and syslog.
> > with top I have this:
> >
> >   9:01am  up 10 days, 23:17,  1 user,  load average: 0.87, 0.74, 0.55
> > 44 processes: 41 sleeping, 3 running, 0 zombie, 0 stopped
> > CPU0 states: 98.0% user,  1.0% system,  0.0% nice,  0.0% idle
> > CPU1 states:  0.1% user,  0.0% system,  0.0% nice, 99.0% idle
> > Mem:   255152K av,  251832K used,    3320K free,       0K shrd,   29460K
> > buff
> > Swap:  128480K av,    1636K used,  126844K free                  124632K
> > cached
> >
> >   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
> >  1050 root      16   0  6996 6996  1152 R    99.6  2.7  7426m snort
> > 18693 admin     10   0  1076 1076   864 R     1.9  0.4   0:00 top
> >     1 root       8   0   544  544   472 S     0.0  0.2   0:04 init
> >     2 root       8   0     0    0     0 SW    0.0  0.0   0:00 keventd
> >     3 root       9   0     0    0     0 SW    0.0  0.0   0:03 kswapd
> >     4 root       9   0     0    0     0 SW    0.0  0.0   0:00 kreclaimd
> >     5 root       9   0     0    0     0 SW    0.0  0.0   0:00 bdflush
> >     6 root       9   0     0    0     0 SW    0.0  0.0   0:00 kupdated
> >     7 root      -1 -20     0    0     0 SW<   0.0  0.0   0:00 mdrecoveryd
> >   609 root       9   0   588  588   488 S     0.0  0.2   0:15 syslog
> >
> > and with vmstat I have the following:
> >
> > [admin at ...4731... admin]$ vmstat 1
> >    procs                      memory    swap          io     system
> >     cpu
> >  r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us
> >  sy  id
> >  1  0  0   1636   3408  29472 124652   0   0     0     0   16     2   1
> >   1   8
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  713   162  37
> >   1  62
> >  1  0  0   1636   3404  29472 124652   0   0     0     0  775   137  42
> >   0  58
> >  0  0  0   1636   3404  29472 124652   0   0     0     0  781   290  38
> >   0  62
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  895   222  38
> >   2  60
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  952    90  46
> >   0  54
> >  0  0  0   1636   3404  29472 124652   0   0     0     0  740   233  34
> >   0  66
> >  1  0  0   1636   3412  29472 124652   0   0     0     4  801   305  36
> >   2  62
> >  0  0  0   1636   3404  29472 124652   0   0     0     1  872   106  44
> >   0  56
> >  1  0  0   1636   3412  29472 124652   0   0     0     0 1142    12  50
> >   0  50
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  991     8  49
> >   1  50
> >  1  0  0   1636   3412  29472 124652   0   0     0     0 1001     8  50
> >   0  50
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  854   194  40
> >   1  58
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  797    88  44
> >   0  56
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  823    82  42
> >   0  58
> >  1  0  0   1636   3412  29472 124652   0   0     0     0  761   256  36
> >   0  64
> >  1  0  0   1636   3404  29472 124652   0   0     0     0  840   225  39
> >   0  61
> >  1  0  0   1636   3412  29472 124652   0   0     0     8  727   297  35
> >   0  65
> >  1  0  0   1636   3412  29472 124652   0   0     0     0 1161    46  49
> >   0  51
> >  1  0  0   1636   3412  29472 124652   0   0     0     0 1066    26  49
> >   0  51
> >
> > So I have no I/O problem but cpu usage problem, bandwith is 16Mbit with
> > an usage of 8-12Mbit.
> >
> > rtin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
> > > Sourcefire: Professional Snort Sensor and Management Console appliances
> > > roesch at ...1935... - http://www.sourcefire.com
> > > Snort: Open Source Network IDS - http://www.snort.org
> > >
> > >
> >
> > >
> > > On 1/29/02 12:11 PM, "Alessandro Fiorenzi" <a.iorenzi at ...2470...> wrote:
> > >
> > > > Hi, I have installed a snort sensor on a Pentium III 733MHz to monitor 3
> > > > C class traffic, but I see everytime cpu usage 100% is it possible?
> > > > On this machine I have two processor but snort use only one processor,
> > > > is there any way to use two processor?
>
> --
> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list