Re: CPU going very high at end of snort processing

[Jason Brvenik <jason.brvenik () sourcefire com>]

bahdko () erols com wrote:

> I have an application where snort keeps driving my sensor's CPU
> really high at an odd time. The sensor is linux-based, using CentOS
> release 4.1 and snort version 2.4.2.

Upgrade to 2.4.3 or disable the bo preprocessor.


[...]

> Today I tried running it nice'd down to 19. It seemed to use a little
> less CPU during the normal part of the processing, but then at the end
> it still did it. I managed to get in a w and eventually the machine
> responded with the load average, and I saw this:
>
>
> load average: 25.20, 12.71, 5.74
>
> Does anyone have any suggestions or insight into what's happening here
> and maybe what I can do to make it not do this? Or maybe its a bug?


That is odd. Some general questions to get more information.

What is you event rate for this time? Is it possible that the snort
process is generating lots of events?

What is output from a kill -USR1 <pidofsnort>

Have you tried running the perfmonitor preprocessor to see what the
performance stats are?

What is the traffic load on the network at that time?

> Thanks,
>
>
> --Laura Herrmann
-- 
Jason Brvenik - Sourcefire
PGP: 89C6 DE77 3B32 FC03 A5AE B5DD 11DF 4C8B 0D8E 3383
Key: http://cerberus.sourcefire.com/~jbrvenik/jason.brvenik.pgp.key


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users