Snort GUI slows down after a while - 2.6.0.2.1 and previous version
-
sullrich, i'm loving what you do with snort!!!
But here's a litte feedback on something that is causing trouble.
RC3e, snort 2.6.0.2.1, P3-450 256 MB
I've run snort for 2-3 weeks. Lately I've noticed that the Snort GUI (Snort Settings, Update Snort Rules, Snort Rulesets, Snort Blocked, Snort Whitelist, Snort Alerts) all get extremely slow to use if you get a lot of blocked IPs. After a reboot the Snort GUI slows down to a crawl after a couple of minutes. Tried uninstall etc etc. Nothing helped. top shows that php uses 85-99% cpu for minutes.Got another idea - clicked the Clear log button on the Snort Alers-page and then rebooted.
Right after reboot i can see that there are 16 Blocked IPs. Most of them have n/a as Alert Description and the GUI is fast. But as soon as the n/a get replaced with actual descriptions the whole Snort GUI slows down - but it's not as slow as before. To me it seems that only Snort Blocked should slow down, and just a little bit, if i have a lot of blocked IPs. I'm not saying that 16 is a lot, just that it is noticeable on that level already. Could there be a problem with the php-scripts?On my other FW where there are 7-800 blocked ip's continously (seen in previous versions of snort), i don't dare to click on any of the snort menus any more.
As i've already said, i really love what you're doing. But if you keep adding (yes, yes, yes) features to snort please consider adding some kind of feature/option that allows users who don't have latest and hottest hardware to keep using snort.
-
When you click "CLEAR" in the Alerts window it restarts both snort2c and snort.
When you click "SAVE" in the settings screen it also restarts snort.
-
I have added checkboxes for any new features that have been added recently.
Honestly deleting hosts from the snort blocked screen should not be slowing down the GUI at all.
Snort settings and clearing the snort alerts screen WILL restart Snort which will slow down the GUI as its restarting.
-
Great sullrich, thanks for adding the checkboxes!
I'm afraid i haven't made myself clear abot the issue. So i'll make a new attempt
1. Installed the latest snort about 8-9 hours ago and rebooted
2. After reboot went to Snort_Snort Blocked. 3 blocked IP's appeared at once
3. 15 minutes later i clicked on the tab Snort Blocked to update the list - 20 IP's on the list. Update speed not an issue. 20 is about max this FW ever has. Left the PC as is
4. Caught some zzz's
5. 8 hours later clicked on the tab Snort Blocked to update the list
6. Snort GUI hangs
7. Clicked on Snort Settings with the intention to "unselect" the show descriptions (show links already unselected). Nothing happens, the tab doesn't show up.
8. The result of the above is that 2 instances of php are running and nothing happens in the GUIlast pid: 34470; load averages: 3.50, 3.32, 3.20 up 0+09:06:24 08:59:01
60 processes: 4 running, 56 sleeping
CPU states: 96.9% user, 0.0% nice, 0.4% system, 2.7% interrupt, 0.0% idle
Mem: 159M Active, 26M Inact, 30M Wired, 34M Buf, 27M Free
Swap: 512M Total, 512M FreePID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
31346 root 1 132 0 54308K 28004K RUN 29:36 47.75% php
1362 root 1 132 0 53172K 26988K RUN 25:55 46.78% php
635 proxy 1 96 0 8456K 6936K RUN 2:45 0.00% squid
957 root 1 96 0 2404K 1656K RUN 1:48 0.00% top9. I'll leave it running for a while, but i'm pretty sure it will still hang. Then i'll reboot and try it with all options unchecked. But to me it seems like something's wrong (ie not my hardware).
Hoping that will work, which is ok by me. Just wanted to let you know.
-
I cannot reproduce this.
Please provide a ps awwux | grep php output during this time.
-
I cannot reproduce this.
Please provide a ps awwux | grep php output during this time.
I've un-checked all new features. Had to hard-reboot FW some hours ago because i could'nt connect to the console anymore.
This took about 5-10 seconds earlier.
llast pid: 15186; load averages: 3.08, 2.78, 1.68 up 0+03:53:09 23:45:33
62 processes: 3 running, 57 sleeping, 2 stopped
CPU states: 95.7% user, 0.0% nice, 2.7% system, 1.6% interrupt, 0.0% idle
Mem: 146M Active, 12M Inact, 34M Wired, 432K Cache, 34M Buf, 51M Free
Swap: 512M Total, 512M FreePID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
14440 root 1 128 0 49452K 23120K RUN 6:44 47.17% php
10664 root 1 128 0 46852K 20492K RUN 4:30 46.29% php
642 proxy 1 96 0 8456K 6936K select 1:13 0.05% squid
1775 root 1 4 0 1140K 1048K kqread 0:29 0.00% snort2c
1772 root 1 -58 0 84180K 83572K bpf 0:21 0.00% snortroot 14440 46.4 9.4 50172 23844 ?? R 11:33PM 6:59.80 /usr/local/bin/php
root 10664 46.0 8.2 47044 20684 ?? R 10:33PM 4:45.06 /usr/local/bin/php
root 362 0.0 1.8 36632 4512 ?? Is 7:53PM 0:00.07 /usr/local/bin/php
root 367 0.0 1.8 36632 4512 ?? Is 7:53PM 0:00.08 /usr/local/bin/php
root 14470 0.0 1.8 36632 4620 ?? I 11:33PM 0:00.00 /usr/local/bin/php
root 14471 0.0 1.8 36632 4620 ?? I 11:33PM 0:00.00 /usr/local/bin/php
root 15229 0.0 0.4 1512 992 p0 S+ 11:46PM 0:00.01 grep php -
You are running out of ram. Insert more ram?
-
Snort has some performance settings. Did you try low mem already?
-
Snort has some performance settings. Did you try low mem already?
So RAM is the culprit. Didn't understand that.
Dont' know much about ..nix i'm afraid.
Just looked at System Overview that shows about 62% Memory usage.Yes, i'm running Performance: lowmem.
Have no more RAM i'm afraid. MB only has 2 slots. Already equipped with 2x128MB and i don't have any 256MB's.
I'll disable some snort rules and maybe uninstall Squid.Thanks for your help and sorry to have taken up your time with such an stupid issue! My bad.
I promise i'll learn all about FreeBSD memory management and status after a short nights sleep, which starts right now (1:30 am) … -
maybe remove just one of the "memoryhogs". squid and snort both can take some fair amount of ram.
-
I am having the same issue with PHP using ~100% of CPU cycles while having lots of blocked IP addresses. I am running a P3 533MHz w/ 512MB of RAM. When clicking the snort link within the GUI, CPU usage goes to 100% and stays until the page is loaded.
ps awwux | grep php: root 513 0.0 0.9 36612 4588 ?? Is 8:32AM 0:00.09 /usr/local/bin/php root 518 0.0 0.9 36612 4588 ?? Is 8:32AM 0:00.18 /usr/local/bin/php root 22772 0.0 0.9 36612 4696 ?? I 1:31PM 0:00.00 /usr/local/bin/php root 22906 0.0 0.9 36612 4696 ?? I 1:32PM 0:00.00 /usr/local/bin/php root 22923 0.0 0.9 36612 4696 ?? I 1:32PM 0:00.00 /usr/local/bin/php root 22963 0.0 0.9 36612 4696 ?? I 1:32PM 0:00.00 /usr/local/bin/php
last pid: 23346; load averages: 1.19, 0.50, 0.29 up 0+05:05:53 13:37:20 35 processes: 3 running, 32 sleeping CPU states: 94.6% user, 0.4% nice, 4.3% system, 0.8% interrupt, 0.0% idle Mem: 133M Active, 10M Inact, 28M Wired, 19M Buf, 322M Free Swap: 1024M Total, 1024M Free
-
If it returns a result after some time that's normal. I tries to use the available cpu power to run the commands to build the pages as fast as it can. Isn't it normal that cpu goes up when the cpu is working? ::) At least it is normal when it returns a result after some time (depending on your systempower sooner or later). It's not normal if the process keeps at 100% cpu without returning anything after some time but it doesn't sound like you have that kind of issue, right?
-
It is normal. If you dont want it to associate the blocked alert text with the ip address then disable this feature in the settings page.
-
Woops. This just happened to me! I've hopefully fixed the problem.
Sorry about this!!