snort cpu load high with single file transfer

Forums

Offline

snort cpu load high with single file transfer

Resolved

0 votes

Hi

I have some trouble with snort and download single file (Snort IPS)

When my download exides 60-63 Mbit/s, snort use 100% cpu, and it take a cople of minutes to log in to clearos box (too busy)

Shuting down snort give me 75 Mbit/s transfer rate on same file.

is it possible to configure snort to not monitor single hi speed downloads ?

System:
Core2duo 2.6 gHz
4 GB ram
Intel pro gbit net card

to slow cpu or too little mem ?

In Intrusion Detection and Prevention

Monday, November 24 2014, 10:04 AM

Share this post:

Responses (5)

Accepted Answer

Johnny Brusevold

Offline
Thursday, November 27 2014, 12:37 PM - #Permalink
Resolved

0 votes

After some investigation, I found the problem, It was not only this download, but two more downloads at same time (windows updates).

so I do some more tests to find out how much CPU usage snort consume (% cpu Mbit/s)

All unnecessary prosesses stoped on clearos box.

E4700 @ 2.60GHz = 0.93%cpu Mbit/s (L2 Cache 2M)

E8400 @ 3.00GHz = 0.76%cpu Mbit/s (L2 Cache 6M)
The reply is currently minimized Show
Accepted Answer

Johnny Brusevold

Offline
Monday, November 24 2014, 10:18 PM - #Permalink
Resolved

0 votes

top report 100% on snort when downloading.

Edit:
Wrong picture.
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, November 24 2014, 10:02 PM - #Permalink
Resolved

0 votes

NIC drivers are OK.

Have a look at "top" when downloading.
The reply is currently minimized Show
Accepted Answer

Johnny Brusevold

Offline
Monday, November 24 2014, 08:29 PM - #Permalink
Resolved

0 votes

[root@gateway ~]# uname -r

2.6.32-431.23.3.v6.x86_64

[root@gateway ~]# lspci -k | grep Eth -A 4

00:19.0 Ethernet controller: Intel Corporation 82567LM-3 Gigabit Network Connection (rev 02)
Subsystem: Gigabyte Technology Co., Ltd Device e000
Kernel driver in use: e1000e
Kernel modules: e1000e

00:1a.0 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #4 (rev 02)
--
01:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
Subsystem: Intel Corporation PRO/1000 PT Dual Port Server Adapter
Kernel driver in use: e1000e
Kernel modules: e1000e

01:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
Subsystem: Intel Corporation PRO/1000 PT Dual Port Server Adapter
Kernel driver in use: e1000e
Kernel modules: e1000e

02:00.0 IDE interface: JMicron Technology Corp. JMB368 IDE controller
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, November 24 2014, 07:02 PM - #Permalink
Resolved

0 votes

I would have thought the CPU and RAM should be OK. Can I just check the NIC drivers
lspci -k | grep Eth -A 4 uname -r
Also when downloading, can you monitor resources with "top" and see what is consuming the CPU?
The reply is currently minimized Show