Problem : CPU usage at 100% because of snort

Stiven

53
+0/-0

Problem : CPU usage at 100% because of snort

« on: August 05, 2008, 04:33:32 PM »

Hi,

As you can read in the subject the cpu usage of my sme box is around 100% when snort is running.

Is someone can help me please.

Thanx in advance.

FYI : smeserver-snort-2.7.0.1-1 + smeserver-oinkmaster-1.2-2 + smeserver-guardiand-1.7-4 + smeserver-base-1.2.2-1

Tell me if you need some pieces of log for diagnosys

Logged

cactus

4,880
+3/-0

Re: Problem : CPU usage at 100% because of snort

« Reply #1 on: August 05, 2008, 09:10:39 PM »

Quote from: Stiven on August 05, 2008, 04:33:32 PM

Hi,

As you can read in the subject the cpu usage of my sme box is around 100% when snort is running.

Is someone can help me please.

Thanx in advance.

FYI : smeserver-snort-2.7.0.1-1 + smeserver-oinkmaster-1.2-2 + smeserver-guardiand-1.7-4 + smeserver-base-1.2.2-1

Tell me if you need some pieces of log for diagnosys

100% of processor utilization is not necessarily a bad thing on linux, how long does it stay at 100%, does it also slow down other processes? Linux has a far better prioritization system for processes than windows.

Logged

Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

mmccarn

2,656
+10/-0

Re: Problem : CPU usage at 100% because of snort

« Reply #2 on: August 06, 2008, 03:29:31 PM »

I installed snort once years ago, and found that after a while (weeks or months) the number of files in the snort log folder reached a point where starting snort would generate hours of disk thrashing as it tried to do something with the log files...

I believe this was addressed in the SME snort contrib quite a while ago.

Are you running a SME 'snort' contrib, or have you installed snort manually?

Logged

Stiven

53
+0/-0

Re: Problem : CPU usage at 100% because of snort

« Reply #3 on: August 07, 2008, 03:18:37 PM »

Quote from: cactus on August 05, 2008, 09:10:39 PM

how long does it stay at 100%,

Ever

Quote from: cactus on August 05, 2008, 09:10:39 PM

does it also slow down other processes?

I don't really know but I suppose

Quote from: cactus on August 05, 2008, 09:10:39 PM

Linux has a far better prioritization system for processes than windows.

Yes it has.

Quote from: mmccarn on August 06, 2008, 03:29:31 PM

Are you running a SME 'snort' contrib, or have you installed snort manually?

The answer is in my first post.

Logged

Stiven

53
+0/-0

Re: Problem : CPU usage at 100% because of snort

« Reply #4 on: August 14, 2008, 10:58:36 PM »

UP

Logged

CharlieBrady

6,918
+3/-0

Re: Problem : CPU usage at 100% because of snort

« Reply #5 on: August 14, 2008, 11:53:22 PM »

Quote from: Stiven on August 05, 2008, 04:33:32 PM

As you can read in the subject the cpu usage of my sme box is around 100% when snort is running.

I'd suggest you remove snort, and just use your time ensuring that you don't install insecure software on your server.

Logged

paulfung

38
+0/-0

Re: Problem : CPU usage at 100% because of snort

« Reply #6 on: September 01, 2008, 11:33:43 AM »

check the rule defination auto download by the oinkmaster, it is always teh current version, and when the version change, the rule that does not matchs the snort version you are using will make the server run at 100%.

Check out the script file and point it to the correct version..... I forgot how as it happen so long before.....

Hope this help.

Logged

Best Regards,

Paul T.C.Fung