[Snort-users] Snort 1.9.0 taking 100% cpu after a (unknown) while

Andrea Barisani lcars at ...96...
Thu Oct 17 00:37:02 EDT 2002


Hi to all!

I've got the same problem with the asn1_decode preprocessor, is it enabled in
your configuration? If so it's probably the cause of the problem. I've never
had problems with conversation and portscan2.

I'll try to reproduce the traffic that triggered this behaviour and I'll send
a full bug report as soon as I can.

Bye


On Wed, Oct 16, 2002 at 06:51:14PM -0400, Chris Green wrote:
> Max Valdez <max at ...6164...> writes:
> 
> > Hi Snorters.
> >
> > I'm as glad as everybody to see SourceFire in such a success, and still
> > giving their work for the comunity. You're a role model Marty!
> >
> > Well, given said that, I have a little bit of a problem here, I'm
> > experiencing a fully responsive snort taking 100% of the cpu, I'm about
> > to test if the fully responsive part is true the next time i see snort
> > at 100%.
> >
> > I dont have any background data to get an idea of why snort is doing
> > that, but i has happend like 3 times since the new version announcement.
> >
> > My conf is a snort box with mysql enabled, that box runs snort, and
> > another one logging to it too.
> >
> > If I restart snort, it comes to normallity. Any other have saw that
> > behavoir ?
> 
> Try disabling portscan2 and conversation and seeing if this does it.
> These are the components that aren't really that well tested as of yet.
> 
> If it still occurs, try a different output subsystem :)
> 
> Cheers,
> Chris
> -- 
> Chris Green <cmg at ...1935...>
> Warning: time of day goes back, taking countermeasures.
> 
------------------------------------------------------------
INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars at ...96... - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------




More information about the Snort-users mailing list