[Snort-users] CPU going very high at end of snort processing

bahdko at ...71... bahdko at ...71...
Tue Oct 18 17:45:00 EDT 2005

Hi all,

I have an application where snort keeps driving my sensor's CPU really high at an odd time. The sensor is linux-based, using CentOS release 4.1 and snort version 2.4.2. 

An instance of snort sniffs the LAN for about 24 hours and writes a binary mode file, I start snort like this:

/usr/local/bin/snort -l /var/log/snort -bD

And then, I stop snort, move the logfile somewhere else, and restart that sniffing instance of snort again. Then, I run a second instance of snort against the binary logfile I moved, having it create the normal directories, like this:

/usr/local/bin/snort -dvCeq -K ascii -r /var/binarylogs/snort.log.1126876613 net -D -l /var/asciilogs/

When I run it this way against a binary file, for most of the duration of the job, it uses some CPU, but not enough to cripple the machine. Maybe 1.6 load average, 1.8. But then, toward the end of the process, the linux machine becomes unresponsive. Of the two sensors I have like this, the 1000mhz one recovers and normalizes when the process is done, but the 500mhz one may or may not come back up for air and sometimes has to be powercycled, after sitting like that for hours, to get its attention.

Today I tried running it nice'd down to 19. It seemed to use a little less CPU during the normal part of the processing, but then at the end it still did it. I managed to get in a w and eventually the machine responded with the load average, and I saw this:

load average: 25.20, 12.71, 5.74 

Does anyone have any suggestions or insight into what's happening here and maybe what I can do to make it not do this? Or maybe its a bug?


--Laura Herrmann

More information about the Snort-users mailing list