[Snort-users] Snort spikes to 100% CPU followed by network latency

Cody Brugh cbrugh at ...11827...
Fri May 23 08:54:50 EDT 2014


Russ,

We did not change anything before this started happening... I did upgrade
snort to the latest version once this happened but it continues to spike
even after upgrading.

This is starting to happen about every 2 or 3 days now... I've had a couple
times where it fixes itself and snort CPU usage goes down.  Other times it
goes on for a long period and I end up killing the snort process.

I already have the preprocessor sensitive_data commented out, however I do
see this in my disablesid.conf (I used pulled pork to fetch VRT rules).

pcre:fwsam
pcre:MS\d{2}-\d*
pcre:dce_iface

Should I adjust the PCRE stuff maybe?

Thanks!


On Fri, May 23, 2014 at 8:09 AM, Russ Combs (rucombs) <rucombs at ...589...>wrote:

>
>  ------------------------------
> *From:* Cody Brugh [cbrugh at ...11827...]
> *Sent:* Thursday, May 22, 2014 8:13 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Snort spikes to 100% CPU followed by network
> latency
>
>      Hello,
>
>  We have been running snort in-line for over a year now with no issues in
> terms of latency or CPU usage.  Recently (over the past month) snort will
> all of the sudden spike CPU usage up to 100% and network latency becomes
> real bad, 1000+ms.
>
>  I am really not sure where to start on figuring out what is causing
> this.  I am starting snort so it prints the alerts/drops on the console and
> don't see any specific rule that would be causing this.
>
>  Any advise on this issue?
>
>  * Did you change your Snort version or configuration around the time you
> started seeing the issue?  How frequently does this occur?  And when it
> happens does it resolve itself or do you restart or what?
>
>  You can turn on PPM (config ppm ...) and enable the PPM rules (gid 134).
>  That may catch the problem packet which you can log and examine for clues.
>
>  Without any clues I'd first check for SDF and PCRE.  If you have SDF
> (preprocessor sensitive_data) configured you can try commenting that out.
>  If you have any pcre/O rules (PCRE override) you can try commenting those
> out too.
>
>  Snort OS: CentOS, 64-bit
>
>   o"  )~   Version 2.9.6.1 GRE (Build 56)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>
> DAQ version: 2.0.2
>
>  Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140523/430d481c/attachment.html>


More information about the Snort-users mailing list