Snort mailing list archives
snort 99%cpu..not hanging (fwd)
From: Jonathan <rakocy () cs wisc edu>
Date: Mon, 1 Jul 2002 23:10:53 -0500 (CDT)
I'm reposting in an effort to give more detail of the problem. More like a possible bug report. Hello, After long hours of configuring BSD and psql, everything seems to be going good. Wrong, I check top and this is what I see. PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 7433 root 64 0 1608K 2516K run - 8:23 99.56% snort OS: OpenBSD 3.0 Computer: P3 500Mhz 512MB ram ide disk Monitoring with a 1Gbs interface. This goes directly to our gateway. Standard network traffic (ssh, dumps etc) use the 100Mbs interface Im not sure about the database stuff. We use postgresql v7.1.3. We still have not gotten a good method established to view the data from a database. We are trying to convert a script from mysql to psql. The script acts like snortsnarf in grabbing logs and converting it to html, but this would grab from the db instead. We tried to configure ACID but were unsucessful. We log to a db on another computer. The problem is steady. Logging to the database has worked fine in the past.. ~30% CPU was the average then, with ruleset updated nightly. When I do tail -f alert, a new alert is written about ever 15 seconds. Maybe faster sometimes. Our rule set has worked perfectly with defaults in the past. Also the interface snort monitors has not changed and worked perfectly previously to the upgrade to 1.8.6. So, I tried commenting all the rules from snort.conf and running snort with -c snort.conf. Same thing with CPU usage. I ruled that out. I looked at running snort with other options for output and saw that the kernel was dropping about 70% of packets. Is it the preprocessors? var HOME_NET is set to any. I've seen some discussion about explicitly specifying these. I tried doing this like so xyz.abc.0.0/16. No change. Anyone have any suggestions? Kind regards, ~Jonathan CSL ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 99%cpu..not hanging (fwd) Jonathan (Jul 01)