Snort mailing list archives
Re: Snort running at 99% CPU
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 05 Nov 2001 10:20:21 -0500
I think this happens before the disk fills up, I've seen it way to often
for it to be something as simple as that. The best way to "fix" this
problem is to just run Barnyard, but that's just my opinion. :)
-Marty
Phil Wood wrote:
I've seen the mysql server fill up a partition. As a consequence, snort will hang a read, I guess waiting for the result of some post. When this event happens you can watch snort with something like strace -p pid. It don't make a move, no how. On Sun, Nov 04, 2001 at 01:00:08AM -0500, Martin Roesch wrote:Ok, if this isn't a FAQ yet it should be. This happens frequently when Snort is setup with MySQL support. I'm not 100% sure of the reason why still, but there is a correlation between 99% CPU utilization on Snort+MySQL and Linux. You might think about trying out barnyard or a different database as a solution. -Marty Blake Frantz wrote:Snort is consuming 99% CPU on a: model name : Pentium III (Coppermine) stepping : 10 cpu MHz : 931.013 cache size : 256 KB MemTotal: 1157752 kB MemFree: 1039896 kB Version 1.8.1-RELEASE (Build 74) compiled with mysql support. Sniffing a 100mbit wire, no packets dropping. I was running snort in the same place with a celeron and the CPU never reached 99% (that was snort 1.8.0 (?) I think). Same compile options. Any ideas ? -Blake _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort running at 99% CPU Blake Frantz (Nov 03)
- Re: Snort running at 99% CPU Chris Keladis (Nov 03)
- Re: Snort running at 99% CPU Blake Frantz (Nov 03)
- Re: Snort running at 99% CPU Ashley Thomas (Nov 03)
- Re: Snort running at 99% CPU Martin Roesch (Nov 03)
- Re: Snort running at 99% CPU Devdas Bhagat (Nov 03)
- Re: Snort running at 99% CPU Blake Frantz (Nov 04)
- Re: Snort running at 99% CPU Phil Wood (Nov 04)
- Re: Snort running at 99% CPU Martin Roesch (Nov 05)
- Re: Snort running at 99% CPU Devdas Bhagat (Nov 03)
- Re: Snort running at 99% CPU Chris Keladis (Nov 03)