[Snort-users] Snort spikes to 100% CPU followed by network latency
cbrugh at ...11827...
Fri May 23 08:54:50 EDT 2014
We did not change anything before this started happening... I did upgrade
snort to the latest version once this happened but it continues to spike
even after upgrading.
This is starting to happen about every 2 or 3 days now... I've had a couple
times where it fixes itself and snort CPU usage goes down. Other times it
goes on for a long period and I end up killing the snort process.
I already have the preprocessor sensitive_data commented out, however I do
see this in my disablesid.conf (I used pulled pork to fetch VRT rules).
Should I adjust the PCRE stuff maybe?
On Fri, May 23, 2014 at 8:09 AM, Russ Combs (rucombs) <rucombs at ...589...>wrote:
> *From:* Cody Brugh [cbrugh at ...11827...]
> *Sent:* Thursday, May 22, 2014 8:13 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Snort spikes to 100% CPU followed by network
> We have been running snort in-line for over a year now with no issues in
> terms of latency or CPU usage. Recently (over the past month) snort will
> all of the sudden spike CPU usage up to 100% and network latency becomes
> real bad, 1000+ms.
> I am really not sure where to start on figuring out what is causing
> this. I am starting snort so it prints the alerts/drops on the console and
> don't see any specific rule that would be causing this.
> Any advise on this issue?
> * Did you change your Snort version or configuration around the time you
> started seeing the issue? How frequently does this occur? And when it
> happens does it resolve itself or do you restart or what?
> You can turn on PPM (config ppm ...) and enable the PPM rules (gid 134).
> That may catch the problem packet which you can log and examine for clues.
> Without any clues I'd first check for SDF and PCRE. If you have SDF
> (preprocessor sensitive_data) configured you can try commenting that out.
> If you have any pcre/O rules (PCRE override) you can try commenting those
> out too.
> Snort OS: CentOS, 64-bit
> o" )~ Version 188.8.131.52 GRE (Build 56)
> '''' By Martin Roesch & The Snort Team:
> Copyright (C) 2014 Cisco and/or its affiliates. All rights
> Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> Using libpcap version 1.0.0
> Using PCRE version: 7.8 2008-09-05
> Using ZLIB version: 1.2.3
> DAQ version: 2.0.2
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users