Snort mailing list archives
RE: Snort 2.0.4 CPU Utilization\Optimization
From: "Tim" <tim () otten co uk>
Date: Thu, 20 Nov 2003 21:35:02 -0000
Are your running a motherboard witch support PCI-X so the throughput of NIC can match the bandwidth of your PCI bus? _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mark Ewert Sent: 20 November 2003 19:35 To: snort-users () lists sourceforge net Subject: [Snort-users] Snort 2.0.4 CPU Utilization\Optimization Greetings, I'm working to optimize Snort on a gigabit Ethernet connection. The system is a dual 2.8ghz Xeon Dell PowerEdge with a gig of RAM, Phil Wood's Libpcap 8 library, running Snort 2.04. I've paired down the rule set eliminating most irrelevant rules for this subnet. I am using a Cisco Catalyst 4000 series switch to mirror (SPAN) all traffic on the switch to the dedicated promiscuous Intel e1000 adapter in the Snort system. The average traffic utilization of the switch is under 15% but I'm still dropping up to 40% of packets. I'm also using the unified log and alert output facilities and mudpit to process the logs. Snort is not doing any other type of logging. Today I also noticed that Snort is consuming 99.9% of one of the 2.8ghz processors (I know Snort is not SMP capable yet). My question is: is that unusual? I'm surprised it's pegging a 2.8ghz processor. Am I using CPU intensive preprocessors? Any wisdom from fellow Snorters would be most appreciated. I'm working to compile the latest Intel e1000 driver now to see if that helps. Thanks in advance! M Here's the output of Snort -T against my config file: --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort_eth0/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 549 Snort rules read... 549 Option Chains linked into 181 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->pass->activation->dynamic->alert->log --------------------------------------------- Mark F. Ewert, Principal Systems Architect Integrated Healthcare Information Services www.ihcis.com <http://www.ihcis.com/> _____ This e-mail and the information transmitted within it is intended only for the recipient(s) to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of; or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please send the e-mail back to notify the sender and delete the message and its contents from any computers and network systems involved in its receipt. Thank you.
Current thread:
- Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 20)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Matt Kettler (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Tim (Nov 21)
- <Possible follow-ups>
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 20)
- RE: Snort 2.0.4 CPU Utilization\Optimization Kreimendahl, Chad J (Nov 20)
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Kreimendahl, Chad J (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Jason Haar (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)