[Snort-users] Snort 2.0.4 CPU Utilization\Optimization

Mark Ewert mewert at ...10516...
Fri Nov 21 07:04:03 EST 2003


Chad,

It averages 90% user and 10% system. I'm working to pair down the
preprocessors and rules further to see if I can optimize further. I
tried upgrading the Intel E1000 gig adapter driver but it won't compile
on Redhat 9 (numerous problems). 

Thanks for your help!

Mark

---------------------------------------------
Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services
www.ihcis.com


-----Original Message-----
From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl at ...4716...] 
Sent: Thursday, November 20, 2003 4:46 PM
To: Mark Ewert; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort 2.0.4 CPU Utilization\Optimization


How much of that CPU time was kernel and how much was user?  That will
give a very good indication of what part of snort is causing the
consumption.

-----Original Message-----
From: Mark Ewert [mailto:mewert at ...10516...] 
Sent: Thursday, November 20, 2003 1:35 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort 2.0.4 CPU Utilization\Optimization


Greetings,

I'm working to optimize Snort on a gigabit Ethernet connection. The
system is a dual 2.8ghz Xeon Dell PowerEdge with a gig of RAM, Phil
Wood's Libpcap 8 library, running Snort 2.04. I've paired down the rule
set eliminating most irrelevant rules for this subnet. I am using a
Cisco Catalyst 4000 series switch to mirror (SPAN) all traffic on the
switch to the dedicated promiscuous Intel e1000 adapter in the Snort
system. The average traffic utilization of the switch is under 15% but
I'm still dropping up to 40% of packets. I'm also using the unified log
and alert output facilities and mudpit to process the logs. Snort is not
doing any other type of logging.

Today I also noticed that Snort is consuming 99.9% of one of the 2.8ghz
processors (I know Snort is not SMP capable yet). My question is: is
that unusual? I'm surprised it's pegging a 2.8ghz processor. Am I using
CPU intensive preprocessors? Any wisdom from fellow Snorters would be
most appreciated. I'm working to compile the latest Intel e1000 driver
now to see if that helps.

Thanks in advance!

M

Here's the output of Snort -T against my config file:

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort_eth0/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
549 Snort rules read...
549 Option Chains linked into 181 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->pass->activation->dynamic->alert->log


---------------------------------------------
Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services
www.ihcis.com



This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of; or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please send the
e-mail back to notify the sender and delete the message and its contents
from any computers and network systems involved in its receipt. Thank
you.
---------------------------------------------------------------------------
This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or 
other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.




More information about the Snort-users mailing list