[Snort-users] Snort spikes to 100% CPU followed by network latency

Russ Combs (rucombs) rucombs at ...589...
Fri May 23 08:09:29 EDT 2014


________________________________
From: Cody Brugh [cbrugh at ...11827...]
Sent: Thursday, May 22, 2014 8:13 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort spikes to 100% CPU followed by network latency

Hello,

We have been running snort in-line for over a year now with no issues in terms of latency or CPU usage.  Recently (over the past month) snort will all of the sudden spike CPU usage up to 100% and network latency becomes real bad, 1000+ms.

I am really not sure where to start on figuring out what is causing this.  I am starting snort so it prints the alerts/drops on the console and don't see any specific rule that would be causing this.

Any advise on this issue?

* Did you change your Snort version or configuration around the time you started seeing the issue?  How frequently does this occur?  And when it happens does it resolve itself or do you restart or what?

You can turn on PPM (config ppm ...) and enable the PPM rules (gid 134).  That may catch the problem packet which you can log and examine for clues.

Without any clues I'd first check for SDF and PCRE.  If you have SDF (preprocessor sensitive_data) configured you can try commenting that out.  If you have any pcre/O rules (PCRE override) you can try commenting those out too.

Snort OS: CentOS, 64-bit

  o"  )~   Version 2.9.6.1 GRE (Build 56)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

DAQ version: 2.0.2

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140523/7e0d448e/attachment.html>


More information about the Snort-users mailing list