[Snort-users] snort 99%cpu..not hanging (fwd)
rakocy at ...4983...
Mon Jul 1 21:11:56 EDT 2002
I'm reposting in an effort to give more detail of the problem. More like
a possible bug report.
After long hours of configuring BSD and psql, everything seems to be going
good. Wrong, I check top and this is what I see.
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
7433 root 64 0 1608K 2516K run - 8:23 99.56% snort
OS: OpenBSD 3.0
P3 500Mhz 512MB ram ide disk
Monitoring with a 1Gbs interface. This goes directly to our gateway.
Standard network traffic (ssh, dumps etc) use the 100Mbs interface
Im not sure about the database stuff. We use postgresql v7.1.3. We still
have not gotten a good method established to view the data from a
database. We are trying to convert a script from mysql to psql. The
script acts like snortsnarf in grabbing logs and converting it to html,
but this would grab from the db instead. We tried to configure ACID but
We log to a db on another computer. The problem is steady. Logging to
the database has worked fine in the past.. ~30% CPU was the average then,
with ruleset updated nightly.
When I do tail -f alert, a new alert is written about ever 15
seconds. Maybe faster sometimes. Our rule set has worked perfectly with
defaults in the past. Also the interface snort monitors has not changed
and worked perfectly previously to the upgrade to 1.8.6.
So, I tried commenting all the rules from snort.conf and running snort
with -c snort.conf. Same thing with CPU usage. I ruled that out.
I looked at running snort with other options for output and saw that the
kernel was dropping about 70% of packets. Is it the preprocessors?
var HOME_NET is set to any. I've seen some discussion about
explicitly specifying these. I tried doing this like so
xyz.abc.0.0/16. No change.
Anyone have any suggestions?
More information about the Snort-users