[Snort-users] PF_RING / DNA + Snort and high CPU utilization

Scott Finlon scott.finlon at ...15821...
Thu Jul 18 09:33:29 EDT 2013


On the new box, I originally compiled PF_RING 5.6.1 and Snort 2.9.5, but downgraded to PF_RING 5.5.3 and Snort 2.9.4.6 to match the old box.
They are both the exact same versions of everything now.
I'm talking with Alfredo from NTOP about the issue as well, so once I can determine if it's PF_RING or Snort I'll definitely post back for future reference.

Scott Finlon, CISSP GCIA
-----------------------------------
Information Security Engineer
The University of Scranton
email : scott.finlon at ...15821...
phone : 570-941-6168
-----------------------------------


From: Ward Sladek <wsladekjr at ...125...<mailto:wsladekjr at ...125...>>
Date: Thursday, July 18, 2013 9:19 AM
To: beenph <beenph at ...11827...<mailto:beenph at ...11827...>>, Scott Finlon <scott.finlon at ...15821...<mailto:scott.finlon at ...15821...>>, "snort-users at ...3204...ts.sourceforge.net<mailto:snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: RE: [Snort-users] PF_RING / DNA + Snort and high CPU utilization

Also what version of Snort are you using?  And are the versions of Snort the same between the old box and new box?

I noticed Snort was consuming 100% of CPU cores when I moved to 2.9.5.0 and reverted back to 2.9.4.6 (I run PF_RING only, no DNA).


> Date: Wed, 17 Jul 2013 23:07:05 -0400
> From: beenph at ...11827...<mailto:beenph at ...11827...>
> To: scott.finlon at ...15821...<mailto:scott.finlon at ...15821...>
> CC: snort-users at lists.sourceforge.net<mailto:snort-users at ...2652...e.net>
> Subject: Re: [Snort-users] PF_RING / DNA + Snort and high CPU utilization
>
> On Wed, Jul 17, 2013 at 9:38 PM, Scott Finlon <scott.finlon at ...15821...<mailto:scott.finlon at ...15821...>> wrote:
> > Writing this again, this time as a new thread.
> >
> > I am in the process of moving Snort from an older box to a new box. Both
> > are RHEL 6 x64, both with the same NICs.
> > Old box has dual E5-2609s, an Intel x520 NIC, and 32 GB of RAM. New box has
> > dual E5-2660s, an Intel x520, and 64 GB of RAM.
> >
> > Using the same configurations ln both boxes, I am using PF_RING/DNA to split
> > traffic across CPU cores on the box, and
> > can verify using PF_RINGs tool that traffic is being split the way it
> > should be.
> >
> > I compiled Snort on the new box fresh, but copied the configs over. The
> > old box CPU is currently sitting around 10%, the new box has the cores
> > pegged at 99-100%.
> >
> > At Beenph's request, I disable HT on the new box, but the CPU is still
> > maxed.
> >
>
> NIC Drivers?
> Kernel version? native compile?
> How do you bound your cpu, which queueing mechanism do you use to
> separate queue etc...
>
> Which process is taking the cpu's?
> -elz
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130718/03c91af7/attachment.html>


More information about the Snort-users mailing list