[Snort-users] Snort spikes to 100% CPU followed by network latency

Cody Brugh cbrugh at ...11827...
Tue May 27 18:30:03 EDT 2014


I am still having latency/CPU spike issues even after enabling PPM
configuration.... In the below logs where does it tell me which rule SIG ID
so I can disable the rules that are causing me slowness?

PPM: Rule-Event Pkt[20570] address=0x0x8200f80 re-enabled
PPM: Rule-Event Pkt[20570] suspended ( ->
PPM: Rule-Event Pkt[20570] address=0x0x8200f80 used=52.7766 usecs suspended
PPM: Rule-Event Pkt[30776] address=0x0x3c28fb0 re-enabled
PPM: Rule-Event Pkt[36115] suspended ( ->
PPM: Rule-Event Pkt[36115] address=0x0x3c28fb0 used=54.8616 usecs suspended
PPM: Rule-Event Pkt[47155] address=0x0x8200f80 re-enabled
PPM: Rule-Event Pkt[48185] suspended ( ->
PPM: Rule-Event Pkt[48185] address=0x0x8200f80 used=53.992 usecs suspended
PPM: Rule-Event Pkt[60578] address=0x0x3c28fb0 re-enabled
PPM: Rule-Event Pkt[71509] suspended ( ->
PPM: Rule-Event Pkt[71509] address=0x0x3c28fb0 used=54.4075 usecs suspended
PPM: Rule-Event Pkt[72989] address=0x0x8200f80 re-enabled
PPM: Rule-Event Pkt[76364] suspended ( ->
PPM: Rule-Event Pkt[76364] address=0x0x8200f80 used=76.2302 usecs suspended
PPM: Rule-Event Pkt[77634] suspended ( ->
PPM: Rule-Event Pkt[77634] address=0x0x820c0b0 used=53.126 usecs suspended

On Fri, May 23, 2014 at 8:09 AM, Russ Combs (rucombs) <rucombs at ...589...>wrote:

>  ------------------------------
> *From:* Cody Brugh [cbrugh at ...11827...]
> *Sent:* Thursday, May 22, 2014 8:13 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Snort spikes to 100% CPU followed by network
> latency
>      Hello,
>  We have been running snort in-line for over a year now with no issues in
> terms of latency or CPU usage.  Recently (over the past month) snort will
> all of the sudden spike CPU usage up to 100% and network latency becomes
> real bad, 1000+ms.
>  I am really not sure where to start on figuring out what is causing
> this.  I am starting snort so it prints the alerts/drops on the console and
> don't see any specific rule that would be causing this.
>  Any advise on this issue?
>  * Did you change your Snort version or configuration around the time you
> started seeing the issue?  How frequently does this occur?  And when it
> happens does it resolve itself or do you restart or what?
>  You can turn on PPM (config ppm ...) and enable the PPM rules (gid 134).
>  That may catch the problem packet which you can log and examine for clues.
>  Without any clues I'd first check for SDF and PCRE.  If you have SDF
> (preprocessor sensitive_data) configured you can try commenting that out.
>  If you have any pcre/O rules (PCRE override) you can try commenting those
> out too.
>  Snort OS: CentOS, 64-bit
>   o"  )~   Version GRE (Build 56)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
> DAQ version: 2.0.2
>  Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140527/de101a4d/attachment.html>

More information about the Snort-users mailing list