Snort 2.0.4 CPU Utilization\Optimization

["Mark Ewert" <mewert () ihcis com>]

Greetings,

 

I'm working to optimize Snort on a gigabit Ethernet connection. The
system is a dual 2.8ghz Xeon Dell PowerEdge with a gig of RAM, Phil
Wood's Libpcap 8 library, running Snort 2.04. I've paired down the rule
set eliminating most irrelevant rules for this subnet. I am using a
Cisco Catalyst 4000 series switch to mirror (SPAN) all traffic on the
switch to the dedicated promiscuous Intel e1000 adapter in the Snort
system. The average traffic utilization of the switch is under 15% but
I'm still dropping up to 40% of packets. I'm also using the unified log
and alert output facilities and mudpit to process the logs. Snort is not
doing any other type of logging.

 

Today I also noticed that Snort is consuming 99.9% of one of the 2.8ghz
processors (I know Snort is not SMP capable yet). My question is: is
that unusual? I'm surprised it's pegging a 2.8ghz processor. Am I using
CPU intensive preprocessors? Any wisdom from fellow Snorters would be
most appreciated. I'm working to compile the latest Intel e1000 driver
now to see if that helps.

 

Thanks in advance!

 

M

 

Here's the output of Snort -T against my config file:

 

        --== Initializing Snort ==--

Initializing Output Plugins!

Decoding Ethernet on interface eth0

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file /etc/snort/snort_eth0/snort.conf

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

http_decode arguments:

    Unicode decoding

    IIS alternate Unicode decoding

    IIS double encoding vuln

    Flip backslash to slash

    Include additional whitespace separators

    Ports to decode http on: 80 

rpc_decode arguments:

    Ports to decode RPC on: 111 32771 

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: ACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

Stream4_reassemble config:

    Server reassembly: INACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Zero out flushed packets: INACTIVE

    flush_data_diff_size: 500

    Ports: 21 23 25 53 80 110 111 143 513 1433 

    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds

    Fragment memory cap: 4194304 bytes

    Fragment min_ttl:   0

    Fragment ttl_limit: 5

    Fragment Problems: 0

    Self preservation threshold: 500

    Self preservation period: 90

    Suspend threshold: 1000

    Suspend period: 30

telnet_decode arguments:

    Ports to decode telnet on: 21 23 25 119 

549 Snort rules read...

549 Option Chains linked into 181 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Rule application order: ->pass->activation->dynamic->alert->log

 

 

---------------------------------------------

Mark F. Ewert, Principal Systems Architect

Integrated Healthcare Information Services

www.ihcis.com <http://www.ihcis.com/> 

 


---------------------------------------------------------------------------
This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or 
other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.