[Snort-users] CPU usage grow to max

Michael Anderson mca at ...1717...
Wed Jan 30 14:29:06 EST 2002


I modified my HOME_NET to be 1 class B network and restarted.  Snort now fluctuates between 1% and 10% CPU usage.  In addition, when I had 27 networks, I was dropping 57% of my
packets, now I'm dropping less than 1%.  Thanks for the hint on the HOME_NET.

-Mike

Michael Anderson wrote:

> My HOME_NET is rather large.  I monitor 27 class C networks.  I am using snort-1.8.2.  I am using the following preprocessors:
> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 -unicode -cginull
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
>
> I didn't think that identifying 27 separate networks in my HOME_NET would cause problems but maybe it does.  I'm going to play with my HOME_NET and see if this fixes anything.
>
> Thanks,
> Mike
>
> Roman Danyliw wrote:
>
> > What pre-processors are you running?  How is your HOME_NET variable configured?
> >
> > Roman
> >
> > On Wed, 30 Jan 2002 15:40:43 -0600, Michael Anderson <mca at ...1717...>
> > wrote :
> >
> > > I seem to be having the same CPU usage problem.  I even switched my output to
> > unified alert/log and used barnyard to load into MySQL and I still see 99% CPU
> > usage on 1 of my 2
> > > CPUs.
> > >
> > > -Mike
> > >
> > > Martin Roesch wrote:
> > >
> > > > The MySQL plugin has been known to do that, Roman might be the guy to
> > > > help you out there.
> > > >
> > > >     -Marty
> > > >
> > > > Alessandro Fiorenzi wrote:
> > > > >
> > > > > > What output modes are you using?
> > > > > >
> > > > > >     -Marty
> > > > >
> > > > > I am using output on mysql, and syslog.
> > > > > with top I have this:
> > > > >
> > > > >   9:01am  up 10 days, 23:17,  1 user,  load average: 0.87, 0.74, 0.55
> > > > > 44 processes: 41 sleeping, 3 running, 0 zombie, 0 stopped
> > > > > CPU0 states: 98.0% user,  1.0% system,  0.0% nice,  0.0% idle
> > > > > CPU1 states:  0.1% user,  0.0% system,  0.0% nice, 99.0% idle
> > > > > Mem:   255152K av,  251832K used,    3320K free,       0K shrd,   29460K
> > > > > buff
> > > > > Swap:  128480K av,    1636K used,  126844K free                  124632K
> > > > > cached
> > > > >
> > > > >   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
> > > > >  1050 root      16   0  6996 6996  1152 R    99.6  2.7  7426m snort
> > > > > 18693 admin     10   0  1076 1076   864 R     1.9  0.4   0:00 top
> > > > >     1 root       8   0   544  544   472 S     0.0  0.2   0:04 init
> > > > >     2 root       8   0     0    0     0 SW    0.0  0.0   0:00 keventd
> > > > >     3 root       9   0     0    0     0 SW    0.0  0.0   0:03 kswapd
> > > > >     4 root       9   0     0    0     0 SW    0.0  0.0   0:00 kreclaimd
> > > > >     5 root       9   0     0    0     0 SW    0.0  0.0   0:00 bdflush
> > > > >     6 root       9   0     0    0     0 SW    0.0  0.0   0:00 kupdated
> > > > >     7 root      -1 -20     0    0     0 SW<   0.0  0.0   0:00 mdrecoveryd
> > > > >   609 root       9   0   588  588   488 S     0.0  0.2   0:15 syslog
> > > > >
> > > > > and with vmstat I have the following:
> > > > >
> > > > > [admin at ...4731... admin]$ vmstat 1
> > > > >    procs                      memory    swap          io     system
> > > > >     cpu
> > > > >  r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us
> > > > >  sy  id
> > > > >  1  0  0   1636   3408  29472 124652   0   0     0     0   16     2   1
> > > > >   1   8
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  713   162  37
> > > > >   1  62
> > > > >  1  0  0   1636   3404  29472 124652   0   0     0     0  775   137  42
> > > > >   0  58
> > > > >  0  0  0   1636   3404  29472 124652   0   0     0     0  781   290  38
> > > > >   0  62
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  895   222  38
> > > > >   2  60
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  952    90  46
> > > > >   0  54
> > > > >  0  0  0   1636   3404  29472 124652   0   0     0     0  740   233  34
> > > > >   0  66
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     4  801   305  36
> > > > >   2  62
> > > > >  0  0  0   1636   3404  29472 124652   0   0     0     1  872   106  44
> > > > >   0  56
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0 1142    12  50
> > > > >   0  50
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  991     8  49
> > > > >   1  50
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0 1001     8  50
> > > > >   0  50
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  854   194  40
> > > > >   1  58
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  797    88  44
> > > > >   0  56
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  823    82  42
> > > > >   0  58
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0  761   256  36
> > > > >   0  64
> > > > >  1  0  0   1636   3404  29472 124652   0   0     0     0  840   225  39
> > > > >   0  61
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     8  727   297  35
> > > > >   0  65
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0 1161    46  49
> > > > >   0  51
> > > > >  1  0  0   1636   3412  29472 124652   0   0     0     0 1066    26  49
> > > > >   0  51
> > > > >
> > > > > So I have no I/O problem but cpu usage problem, bandwith is 16Mbit with
> > > > > an usage of 8-12Mbit.
> > > > >
> > > > > rtin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
> > > > > > Sourcefire: Professional Snort Sensor and Management Console appliances
> > > > > > roesch at ...1935... - http://www.sourcefire.com
> > > > > > Snort: Open Source Network IDS - http://www.snort.org
> > > > > >
> > > > > >
> > > > >
> > > > > >
> > > > > > On 1/29/02 12:11 PM, "Alessandro Fiorenzi" <a.iorenzi at ...2470...> wrote:
> > > > > >
> > > > > > > Hi, I have installed a snort sensor on a Pentium III 733MHz to monitor
> > 3
> > > > > > > C class traffic, but I see everytime cpu usage 100% is it possible?
> > > > > > > On this machine I have two processor but snort use only one processor,
> > > > > > > is there any way to use two processor?
> > > >
> > > > --
> > > > Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
> > > > Sourcefire: Professional Snort Sensor and Management Console appliances
> > > > roesch at ...1935... - http://www.sourcefire.com
> > > > Snort: Open Source Network IDS - http://www.snort.org
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > >
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list