Friends,
I am setting up a new COS v7 server to replace my v6 gear. I noticed that load was now higher, even though the new v7 gear has more processor and memory and isn't doing much of anything yet. Looking through processes, I saw that snort was using almost 40% of CPU. On the v6 machine, it is only 4% of CPU.
Any idea what is going on?
Thanks,
Drew Vonada-Smith
I am setting up a new COS v7 server to replace my v6 gear. I noticed that load was now higher, even though the new v7 gear has more processor and memory and isn't doing much of anything yet. Looking through processes, I saw that snort was using almost 40% of CPU. On the v6 machine, it is only 4% of CPU.
Any idea what is going on?
Thanks,
Drew Vonada-Smith
Share this post:
Responses (5)
-
Accepted Answer
Hey Drew,
Snort is a hard one to determine a "normal" status for. It's very much based upon what it hears, the rulesets it has active and as Nick said your specific hardware build. In my experience you will see a spike when it first loads while it parses all the rules and gets setup and then it should level out. You can run it in the foreground if you want to see what is going on with it. I would use the CLI utility "top" and hit 1 to expand out the CPUs so you can see what is going on each core. It maybe it's loading a single thread and not the rest of them. At the end of the day if the system feel responsive and you see Snort logging alerts and working as expected - this might be your new "normal".
Hope that helps.
Jim -
Accepted Answer
-
Accepted Answer
I have only one interface - it's a simple file server. Snort rules are the ones set by default....20 items checked. This is the same on both systems. The newer board is a lot more powerful, it is a 4 core Pentium, 2 GHz. The older one is about 4 generations older, a Celeron, 1.0 GHz. So even for each core, it should be 2-3x.
There is no activity whatsoever going on at the time...zero traffic I've literally just setup and system and it's sitting idle. 40% seems like an enormous amount of CPU time for any task. This does not seem right. -
Accepted Answer
How many rules do you have enabled on the old and new? On the new do you also have the subscribed rules? There is no point in enabling rules for services you don't expose to the internet.
[edit]
snort is a single threaded app. Is a single core on your new machine more powerful than on the old. It is not a given as some of the new poerw can come from hyperthreading and extra cores.
[/edit] -
Accepted Answer
Might want to see how many interfaces you have snort running on and what the rule set size is like? My Snort is running on 3 interfaces and I have a bunch of rules added - it sits at ~54% so 40% is not too bad. I am not 100% on your scenario from your description but maybe you have some default rules active which are picking up some traffic. Are you seeing much in the logs?
Jim
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »