[Snort-users] Snort 2.0.4 CPU Utilization\Optimization

Tim tim at ...10610...
Fri Nov 21 06:11:07 EST 2003

Are your running a motherboard witch support PCI-X so the throughput of NIC
can match the bandwidth of your PCI bus?



From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Mark Ewert
Sent: 20 November 2003 19:35
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort 2.0.4 CPU Utilization\Optimization




I'm working to optimize Snort on a gigabit Ethernet connection. The system
is a dual 2.8ghz Xeon Dell PowerEdge with a gig of RAM, Phil Wood's Libpcap
8 library, running Snort 2.04. I've paired down the rule set eliminating
most irrelevant rules for this subnet. I am using a Cisco Catalyst 4000
series switch to mirror (SPAN) all traffic on the switch to the dedicated
promiscuous Intel e1000 adapter in the Snort system. The average traffic
utilization of the switch is under 15% but I'm still dropping up to 40% of
packets. I'm also using the unified log and alert output facilities and
mudpit to process the logs. Snort is not doing any other type of logging.


Today I also noticed that Snort is consuming 99.9% of one of the 2.8ghz
processors (I know Snort is not SMP capable yet). My question is: is that
unusual? I'm surprised it's pegging a 2.8ghz processor. Am I using CPU
intensive preprocessors? Any wisdom from fellow Snorters would be most
appreciated. I'm working to compile the latest Intel e1000 driver now to see
if that helps.


Thanks in advance!




Here's the output of Snort -T against my config file:


        --== Initializing Snort ==--

Initializing Output Plugins!

Decoding Ethernet on interface eth0

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file /etc/snort/snort_eth0/snort.conf



Initializing rule chains...

http_decode arguments:

    Unicode decoding

    IIS alternate Unicode decoding

    IIS double encoding vuln

    Flip backslash to slash

    Include additional whitespace separators

    Ports to decode http on: 80 

rpc_decode arguments:

    Ports to decode RPC on: 111 32771 

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: ACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

Stream4_reassemble config:

    Server reassembly: INACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Zero out flushed packets: INACTIVE

    flush_data_diff_size: 500

    Ports: 21 23 25 53 80 110 111 143 513 1433 

    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds

    Fragment memory cap: 4194304 bytes

    Fragment min_ttl:   0

    Fragment ttl_limit: 5

    Fragment Problems: 0

    Self preservation threshold: 500

    Self preservation period: 90

    Suspend threshold: 1000

    Suspend period: 30

telnet_decode arguments:

    Ports to decode telnet on: 21 23 25 119 

549 Snort rules read...

549 Option Chains linked into 181 Chain Headers

0 Dynamic rules



Rule application order: ->pass->activation->dynamic->alert->log




Mark F. Ewert, Principal Systems Architect

Integrated Healthcare Information Services

www.ihcis.com <http://www.ihcis.com/> 



This e-mail and the information transmitted within it is intended only for
the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or
other use of; or taking of any action in reliance upon this information by
persons or entities other than the intended recipient is prohibited. If you
received this in error, please send the e-mail back to notify the sender and
delete the message and its contents from any computers and network systems
involved in its receipt. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031121/7a87196f/attachment.html>

More information about the Snort-users mailing list