[Snort-users] Snort 2.6.1 uses all available processor forever

Thomas Munn symgryph at ...11827...
Mon Nov 20 11:25:33 EST 2006


I have read the problems with snort using lots of memory with the new
2.6.xseries.  However, I have NOT seen where it initially uses LOTS
(like the
docs say), then uses pretty low (around 6%) and then upto 100% and never
down after.

I am running on rhel 4.2 64 bit, with 1gb memory.  Here is my snort.conf:
----------------------------------------------------------------------------
#--------------------------------------------------
#   http://www.activeworx.org Snort 2.4.3 Ruleset
#     IDS Policy Manager Version: 1.8.1 Build(66)
# Current Database Updated -- Dec 13, 2005 2:13 PM
#--------------------------------------------------
#
## Variables
## ---------
#var HOME_NET 10.1.1.0/24
#var HOME_NET $eth0_ADDRESS
var HOME_NET [11.186.179.192/27,11.186.177.128/28]
#var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SSH_PORTS 22
var SNMP_SERVERS $HOME_NET
#var HTTP_PORTS 8081
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [
64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
]
var RULE_PATH /etc/snort/rules/
#
## Preprocessor Support
## --------------------
#preprocessor stream4: disable_evasion_alerts, keepstats binary
#preprocessor stream4_reassemble
preprocessor telnet_decode
preprocessor rpc_decode: 111
preprocessor perfmonitor: pktcnt 10000 file /var/snort/snort.stats time 300
events max flow
preprocessor xlink2state: ports { 25 691 }
#preprocessor frag3_global: max_frags 65536
#preprocessor frag3_engine: policy linux bind_to [10.1.1.12/32,10.1.1.13/32]
detect_anomalies
#preprocessor frag3_engine: policy first bind_to 10.2.1.0/24detect_anomalies
#preprocessor frag3_engine: policy last bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd
preprocessor frag3_engine: policy first detect_anomalies
#preprocessor conversation
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#
preprocessor flow: stats_interval 0 hash 2
preprocessor sfportscan: proto { all }  memcap { 10000000 } sense_level {
low }
#
#
## Output Modules
## --------------
output database: log, mysql, dbname=snort user=snort password=blah
host=localhost sensor_name=mysensorq_eth1 detail=full
#output database: alert, mysql dbname=snort user=root host=localhost
sensor_name=sherlock detail=full
#output log_tcpdump: tcpdump.log
#output log_unified: filename snort.log, limit 128
#
#output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
#output alert_unified: filename snort.alert, limit 128
#
## Custom Rules
## ------------
#ruletype suspicious
#{
# type log
# output log_tcpdump: suspicious.log
#}#ruletype redalert
#{
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
#}
#
## Command Line Options
## --------------------
#
config disable_decode_alerts
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
config layer2resets: 00:06:76:DD:5F:E3
config flowbits_size: 64
config ignore_ports: tcp 21 6667:6671 1356
config ignore_ports: udp 1:17 53
#
## Custom Lines
## ------------
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500
preprocessor http_inspect_server: server 63.146.177.132 bare_byte no
preprocessor http_inspect_server: server 63.146.178.212 bare_byte no
preprocessor http_inspect_server: server 63.146.177.141 bare_byte no
preprocessor http_inspect_server: server 63.146.178.214 bare_byte no
preprocessor http_inspect_server: server 63.146.178.217 bare_byte no
preprocessor http_inspect_server: server 63.146.178.219 bare_byte no
preprocessor http_inspect_server: server 63.146.177.219 bare_byte no
preprocessor http_inspect_server: server 63.146.179.193 bare_byte no
preprocessor http_inspect_server: server 63.146.179.202 bare_byte no
preprocessor http_inspect_server: server 63.146.179.208 bare_byte no
preprocessor http_inspect_server: server 63.146.179.197 bare_byte no
preprocessor http_inspect_server: server 63.146.179.212 bare_byte no
preprocessor http_inspect_server: server 63.146.179.213 bare_byte no
preprocessor http_inspect_server: server 63.146.179.214 bare_byte no
preprocessor http_inspect_server: server 63.146.179.222 bare_byte no
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
#
## Include Files
## -------------
include classification.config
include reference.config
#
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rulesinclude $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-custom.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/ bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding.rules
#
include threshold.conf







-- 
-----------------------
Two Wheels Good, Four Wheels Bad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20061120/71075b1d/attachment.html>


More information about the Snort-users mailing list