Snort mailing list archives

Previous By Date Next
Previous By Thread Next

CPU going very high at end of snort processing

From: bahdko () erols com
Date: Wed, 19 Oct 2005 03:43:26 +0300
Hi all,
I have an application where snort keeps driving my sensor's CPU really high at an odd time. The sensor is linux-based, using CentOS release 4.1 and snort version 2.4.2. 

An instance of snort sniffs the LAN for about 24 hours and writes a binary mode file, I start snort like this:


/usr/local/bin/snort -l /var/log/snort -bD


And then, I stop snort, move the logfile somewhere else, and restart that sniffing instance of snort again. Then, I run 
a second instance of snort against the binary logfile I moved, having it create the normal directories, like this:


/usr/local/bin/snort -dvCeq -K ascii -r /var/binarylogs/snort.log.1126876613 net 192.168.0.0/24 -D -l /var/asciilogs/


When I run it this way against a binary file, for most of the duration of the job, it uses some CPU, but not enough to 
cripple the machine. Maybe 1.6 load average, 1.8. But then, toward the end of the process, the linux machine becomes 
unresponsive. Of the two sensors I have like this, the 1000mhz one recovers and normalizes when the process is done, 
but the 500mhz one may or may not come back up for air and sometimes has to be powercycled, after sitting like that for 
hours, to get its attention.


Today I tried running it nice'd down to 19. It seemed to use a little less CPU during the normal part of the 
processing, but then at the end it still did it. I managed to get in a w and eventually the machine responded with the load 
average, and I saw this:
load average: 25.20, 12.71, 5.74 

Does anyone have any suggestions or insight into what's happening here and maybe what I can do to make it not do this? 
Or maybe its a bug?


Thanks,


--Laura Herrmann




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: