PF_RING / DNA + Snort and high CPU utilization

[Scott Finlon <scott.finlon () scranton edu>]

Writing this again, this time as a new thread.

I am in the process of moving Snort from an older box to a new box. Both
are RHEL 6 x64, both with the same NICs.
Old box has dual E5-2609s, an Intel x520 NIC, and 32 GB of RAM. New box has dual E5-2660s, an Intel x520, and 64 GB of 
RAM.

Using the same configurations ln both boxes, I am using PF_RING/DNA to split traffic across CPU cores on the box, and
can verify using PF_RINGs tool that traffic is being split the way it
should be.

I compiled Snort on the new box fresh, but copied the configs over. The
old box CPU is currently sitting around 10%, the new box has the cores
pegged at 99-100%.

At Beenph's request, I disable HT on the new box, but the CPU is still
maxed.

Any other ideas of what might be causing this to happen?

Scott Finlon, CISSP GCIA
-----------------------------------
Information Security Engineer
The University of Scranton
email : scott.finlon () scranton edu<mailto:scott.finlon () scranton edu>
phone : 570-941-6168<tel:570-941-6168>
-----------------------------------

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!