[Snort-users] snort 99%cpu..not hanging (fwd)

Jonathan rakocy at ...4983...
Mon Jul 1 21:11:56 EDT 2002

I'm reposting in an effort to give more detail of the problem.  More like
a possible bug report.


After long hours of configuring BSD and psql, everything seems to be going
good.  Wrong, I check top and this is what I see. 
7433 root     64   0  1608K 2516K  run  -        8:23    99.56% snort

OS: OpenBSD 3.0

P3 500Mhz 512MB ram ide disk

Monitoring with a 1Gbs interface.  This goes directly to our gateway.
Standard network traffic (ssh, dumps etc) use the 100Mbs interface

Im not sure about the database stuff.  We use postgresql v7.1.3. We still
have not gotten a good method established to view the data from a
database.  We are trying to convert a script from mysql to psql.  The
script acts like snortsnarf in grabbing logs and converting it to html,
but this would grab from the db instead.  We tried to configure ACID but
were unsucessful. 

We log to a db on another computer.  The problem is steady.  Logging to
the database has worked fine in the past.. ~30% CPU was the average then,
with ruleset updated nightly.

When I do tail -f alert, a new alert is written about ever 15
seconds.  Maybe faster sometimes.  Our rule set has worked perfectly with
defaults in the past.  Also the interface snort monitors has not changed
and worked perfectly previously  to the upgrade to 1.8.6.

So, I tried commenting all the rules from snort.conf and running snort
with -c snort.conf.  Same thing with CPU usage.  I ruled that out.
I looked at running snort with other options for output and saw that the
kernel was dropping about 70% of packets.  Is it the preprocessors?
var HOME_NET is set to any.  I've seen some discussion about
explicitly specifying these.  I tried doing this like so 
xyz.abc.0.0/16.  No change. 

Anyone have any suggestions?

Kind regards,



More information about the Snort-users mailing list