Re: Snort uses 90% of CPU

[Yossi Asayag <yasayag () gmail com>]

hi to all,

the same effect I got after I upgraded the snort versions from 2.8.6.1 to
2.9.1.2.
I also tried to find the reason for it and I'm still looking. I've run also
the two versions parralell on one the machine which runs nothing else than
snort ids. I've analysed the outputs and couldn't find something, that can
point to the reason. Still the snort process of the new version shows using
far more than doppell usage than the snort process of the old version (both
in cpu and mamaory).

I've installed the both version on FreeBSD 8.0 machine.
If someone had the same bad experience and can give us an idea, how it can
be solved, I would be more than grateful.

regards

yoas


2011/12/17 babu dheen <babudheen () yahoo co in>

> Dear All,
>
>
>        In recent past, we are experiencing high CPU usage on one of
> Astaro firewall where Snort -IPS functionality is enabled.  Snort almost
> consumes 90% of the CPU. During such time, we could see only one snort
> instance used to run and could not find name of the signature which causing
> high CPU usage and because of this high cpu usage all TCP connection keep
> getting dropped.  To solve this problem, we had to reboot the Astaro
> firewall device. Would like to know why snort uses high CPU or in which
> situation snort can consume more CPU usage.
>
>        Is there any way to find out which signature consumes more CPU in
> snort during high CPU usage time?******
>
>
> Regards
> **Babu **
>
>
>
> ------------------------------------------------------------------------------
> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
> Microsoft is holding a special Learn Windows Azure training event for
> developers. It will provide a great way to learn Windows Azure and what it
> provides. You can attend the event by watching it streamed LIVE online.
> Learn more at http://p.sf.net/sfu/ms-windowsazure
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!