Snort mailing list archives
Re: Snort 2.6.1 uses all available processor forever
From: "M. Shirk" <shirkdog_list () hotmail com>
Date: Mon, 20 Nov 2006 12:20:54 -0500
http://permalink.gmane.org/gmane.comp.security.ids.snort.general/26125 Shirkdog http://www.shirkdog.us
From: "Thomas Munn" <symgryph () gmail com> To: snort-users () lists sourceforge net Subject: [Snort-users] Snort 2.6.1 uses all available processor forever Date: Mon, 20 Nov 2006 11:25:33 -0500 I have read the problems with snort using lots of memory with the new 2.6.xseries. However, I have NOT seen where it initially uses LOTS (like the docs say), then uses pretty low (around 6%) and then upto 100% and never down after. I am running on rhel 4.2 64 bit, with 1gb memory. Here is my snort.conf: ---------------------------------------------------------------------------- #-------------------------------------------------- # http://www.activeworx.org Snort 2.4.3 Ruleset # IDS Policy Manager Version: 1.8.1 Build(66) # Current Database Updated -- Dec 13, 2005 2:13 PM #-------------------------------------------------- # ## Variables ## --------- #var HOME_NET 10.1.1.0/24 #var HOME_NET $eth0_ADDRESS var HOME_NET [11.186.179.192/27,11.186.177.128/28] #var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SSH_PORTS 22 var SNMP_SERVERS $HOME_NET #var HTTP_PORTS 8081 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [ 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24 ] var RULE_PATH /etc/snort/rules/ # ## Preprocessor Support ## -------------------- #preprocessor stream4: disable_evasion_alerts, keepstats binary #preprocessor stream4_reassemble preprocessor telnet_decode preprocessor rpc_decode: 111 preprocessor perfmonitor: pktcnt 10000 file /var/snort/snort.stats time 300 events max flow preprocessor xlink2state: ports { 25 691 } #preprocessor frag3_global: max_frags 65536 #preprocessor frag3_engine: policy linux bind_to [10.1.1.12/32,10.1.1.13/32] detect_anomalies #preprocessor frag3_engine: policy first bind_to 10.2.1.0/24detect_anomalies #preprocessor frag3_engine: policy last bind_to 10.3.1.0/24 #preprocessor frag3_engine: policy bsd preprocessor frag3_engine: policy first detect_anomalies #preprocessor conversation #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # preprocessor flow: stats_interval 0 hash 2 preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } # # ## Output Modules ## -------------- output database: log, mysql, dbname=snort user=snort password=blah host=localhost sensor_name=mysensorq_eth1 detail=full #output database: alert, mysql dbname=snort user=root host=localhost sensor_name=sherlock detail=full #output log_tcpdump: tcpdump.log #output log_unified: filename snort.log, limit 128 # #output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT #output alert_unified: filename snort.alert, limit 128 # ## Custom Rules ## ------------ #ruletype suspicious #{ # type log # output log_tcpdump: suspicious.log #}#ruletype redalert #{ # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost #} # ## Command Line Options ## -------------------- # config disable_decode_alerts config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config detection: search-method lowmem config layer2resets: 00:06:76:DD:5F:E3 config flowbits_size: 64 config ignore_ports: tcp 21 6667:6671 1356 config ignore_ports: udp 1:17 53 # ## Custom Lines ## ------------ preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor http_inspect_server: server 63.146.177.132 bare_byte no preprocessor http_inspect_server: server 63.146.178.212 bare_byte no preprocessor http_inspect_server: server 63.146.177.141 bare_byte no preprocessor http_inspect_server: server 63.146.178.214 bare_byte no preprocessor http_inspect_server: server 63.146.178.217 bare_byte no preprocessor http_inspect_server: server 63.146.178.219 bare_byte no preprocessor http_inspect_server: server 63.146.177.219 bare_byte no preprocessor http_inspect_server: server 63.146.179.193 bare_byte no preprocessor http_inspect_server: server 63.146.179.202 bare_byte no preprocessor http_inspect_server: server 63.146.179.208 bare_byte no preprocessor http_inspect_server: server 63.146.179.197 bare_byte no preprocessor http_inspect_server: server 63.146.179.212 bare_byte no preprocessor http_inspect_server: server 63.146.179.213 bare_byte no preprocessor http_inspect_server: server 63.146.179.214 bare_byte no preprocessor http_inspect_server: server 63.146.179.222 bare_byte no # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output database: log, oracle, dbname=snort user=snort password=test # ## Include Files ## ------------- include classification.config include reference.config # include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rulesinclude $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules #include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules #include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules include $RULE_PATH/info.rules #include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules #include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-custom.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/ bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding.rules # include threshold.conf -- ----------------------- Two Wheels Good, Four Wheels Bad
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________ Share your latest news with your friends with the Windows Live Spaces friends module. http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mk ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.6.1 uses all available processor forever Thomas Munn (Nov 20)
- Re: Snort 2.6.1 uses all available processor forever M. Shirk (Nov 20)