Snort services cpu limit

bmeeks · Apr 11, 2025, 12:23 PM

@SpaceXTexnologiya said in Snort services cpu limit:

Hi,
The snort service uses a lot of cpu and this prevents pfsense from running efficiently.
How can I put a cpu limit on the service

Thanks.

The Snort binary offers no options for CPU control. Snort 2.9.x used on pfSense is a single-threaded process.

As suggested, trim down your rule set. You don't mention what hardware you are using, but sounds like based on your description that it may not be powerful enough to run Snort with your current configuration.

SpaceXTexnologiya · Apr 11, 2025, 1:00 PM

@bmeeks hi,
thank you for reply,
Could snort service be the cause of pfsense freezing?
my virtualization environment is hyper-v
pfsense running with 10 GB memory and 12 cores

bmeeks · Apr 11, 2025, 1:00 PM

@SpaceXTexnologiya said in Snort services cpu limit:

Could snort service be the cause of pfsense freezing?

I doubt Snort is the cause, but it is extraordinarily easy to test the hypothesis -- simply stop the Snort service for a day or two and see if the "freezing" still occurs. If it does not, then Snort was the likely cause. If "freezing" continues, then Snort is not the cause.

Gblenn

@SpaceXTexnologiya said in Snort services cpu limit:

pfsense running with 10 GB memory and 12 cores

Wow, that is a lot of resources for pfsense! I guess you have quite a lot of traffic then?

I'm also running virtualized but only give my firewall 8 GB RAM and 4 cores (i5 11400). I have been testing on a smaller machine with an i3 n305 and get about the same performance there (around 8 Gbit max), if I pass through the NIC's.
I run Suricata not Snort, which probably shouldn't matter, but I run it in legacy mode...

stephenw10

Right probably the hvevent interrupt storm that some people are reporting. Depending on what pfSense version you're running in which hyper-v version.

SpaceXTexnologiya

@stephenw10
Which version is more stable? For Hyper-V environment

stephenw10

Which pfSense version? As far as know (since I don't run hyper-v) the issue affects anything built on FReeBSD 14 or newer. So that means you'd ned to go back to 2.6 to be unaffected.

SpaceXTexnologiya

@stephenw10 said in Snort services cpu limit:

Which pfSense version? As far as know (since I don't run hyper-v) the issue affects anything built on FReeBSD 14 or newer. So that means you'd ned to go back to 2.6 to be unaffected.

I am using pfsense version 2.7.2 on hyper-v

Gblenn

@SpaceXTexnologiya said in Snort services cpu limit:

@stephenw10
Which version is more stable? For Hyper-V environment

I guess there is the option to use another hypervisor, like Proxmox...

SpaceXTexnologiya

@Gblenn
currently all my environments are in hyper v so I will not be able to experiment on proxmox.
I can't figure out why pfsense is cutting off access but I will focus on finding out

thanks