Snort 2.9.5.6 pkg v3.0.4 Update – Release notes and change log

kilthro

The pasting of the error didnt come out right. I added spaces to see if it wouldnt try to convert it to an emoticon

There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [ 0 ] :

Your theory is sound. It pulls rules daily from iblocklist.com so its possibly that one of the lists messed something up. Shouldnt i get that though when it reloads the rules. lets say I make FW rule changes etc and that provokes a reload or when I update my manual list in pfblocker it always reloads them and I never get the error. I noticed it with the recent reboots only..

Anyhow.. I was not intending to derail the topic.. I appreciate the insight.

jasonlitka

The last few builds of snort I've installed have had some real issues with CPU usage on my machines.  Has anyone else seen snort burn 100% of a CPU core, per instance, even when idle?

This always happens on startup of snort for the first 30 seconds or so but after that it should settle down.  Right now snort has been disabled on all 3 of my boxes (1 at home, 2 at work) it runs my CPUs at 100% all the time and I end up with poor throughput as a result.

bmeeks

@Jason:

The last few builds of snort I've installed have had some real issues with CPU usage on my machines.  Has anyone else seen snort burn 100% of a CPU core, per instance, even when idle?

This always happens on startup of snort for the first 30 seconds or so but after that it should settle down.  Right now snort has been disabled on all 3 of my boxes (1 at home, 2 at work) it runs my CPUs at 100% all the time and I end up with poor throughput as a result.

Using 100% of a CPU is definitely not right.  Check and make sure you have only one instance of Snort per interface it's enabled on using this command –

ps -ax | grep snort

Assuming you do not have Barnyard2 enabled, you should see exactly one Snort process per interface.  Each will have a UUID along with the physical interface name in the command-line arguments.  If you have Barnyard2 enabled, you will also see one Barnyard2 process per interface.

If the command above shows the correct number of interfaces, then I would start disabling some rules to see if maybe one is consuming CPU time.  You can also enable the Preprocessor Stats on the Preprocessors tab.  This will give you statistics for all the preprocessors and may help identify a problem area.

Bill

jasonlitka

@bmeeks:

@Jason:

The last few builds of snort I've installed have had some real issues with CPU usage on my machines.  Has anyone else seen snort burn 100% of a CPU core, per instance, even when idle?

This always happens on startup of snort for the first 30 seconds or so but after that it should settle down.  Right now snort has been disabled on all 3 of my boxes (1 at home, 2 at work) it runs my CPUs at 100% all the time and I end up with poor throughput as a result.

Using 100% of a CPU is definitely not right.  Check and make sure you have only one instance of Snort per interface it's enabled on using this command –

ps -ax | grep snort

Assuming you do not have Barnyard2 enabled, you should see exactly one Snort process per interface.  Each will have a UUID along with the physical interface name in the command-line arguments.  If you have Barnyard2 enabled, you will also see one Barnyard2 process per interface.

If the command above shows the correct number of interfaces, then I would start disabling some rules to see if maybe one is consuming CPU time.  You can also enable the Preprocessor Stats on the Preprocessors tab.  This will give you statistics for all the preprocessors and may help identify a problem area.

Bill

Barnyard2 is off and I do have one process per interface.  I'll try enabling stats and see if that tells me what it's doing.

EDIT:  Question.  Where exactly would I find the stats it's collecting?

BBcan177

I have been noticing Memory increasing at times also. CPU usage has usually been fairly low thou.

Looks like I had two dead snort process's on my box. Those are both on my WAN interface.

ps -ax | grep snort

30859  ??  SNs    7:06.60 /usr/pbi/snort-amd64/bin/snort -R 44200 -D -q -l /var/log/snort/snort_bce044200 –pid-path /var/run --nolock-pidfile -G 44200 -c /usr/pbi/s
34575  ??  SNs    6:37.28 /usr/pbi/snort-amd64/bin/snort -R 9739 -D -q -l /var/log/snort/snort_em09739 --pid-path /var/run --nolock-pidfile -G 9739 -c /usr/pbi/snort
47151  ??  Ss    27:02.58 /usr/pbi/snort-amd64/bin/snort -R 44200 -D -q -l /var/log/snort/snort_bce044200 –pid-path /var/run --nolock-pidfile -G 44200 -c /usr/pbi/s
63296  ??  Ss    26:48.10 /usr/pbi/snort-amd64/bin/snort -R 44200 -D -q -l /var/log/snort/snort_bce044200 --pid-path /var/run --nolock-pidfile -G 44200 -c /usr/pbi/s

(After shutting down Snort from the Interface GUI.)

ps -ax | grep snort

47151  ??  Ss    27:04.42 /usr/pbi/snort-amd64/bin/snort -R 44200 -D -q -l /var/log/snort/snort_bce044200 –pid-path /var/run --nolock-pidfile -G 44200 -c /usr/pbi/s
63296  ??  Ss    26:49.93 /usr/pbi/snort-amd64/bin/snort -R 44200 -D -q -l /var/log/snort/snort_bce044200 --pid-path /var/run --nolock-pidfile -G 44200 -c /usr/pbi/s

pkill snort

This killed the two dead processes.

I restarted Snort on the Interface GUI and all seems ok now. Memory down 20-30%

ps -ax | grep snort

69121  ??  Ss    0:08.67 /usr/pbi/snort-amd64/bin/snort -R 44200 -D -q -l /var/log/snort/snort_bce044200 –pid-path /var/run --nolock-pidfile -G 44200 -c /usr/pbi/s
91224  ??  Ss    0:00.63 /usr/pbi/snort-amd64/bin/snort -R 9739 -D -q -l /var/log/snort/snort_em09739 --pid-path /var/run --nolock-pidfile -G 9739 -c /usr/pbi/snort

Supermule

Is this on 32/64bit versions or only on 64bit?

I havent had issues at all running 32 bit.

jasonlitka

@Supermule:

Is this on 32/64bit versions or only on 64bit?

I havent had issues at all running 32 bit.

My systems are all 64-bit.

BBcan177

Mine is 64bit. I have a 32bit at another site that doesn't seem to have this issue.

bmeeks

@Jason:

Barnyard2 is off and I do have one process per interface.  I'll try enabling stats and see if that tells me what it's doing.

EDIT:  Question.  Where exactly would I find the stats it's collecting?

There will be a log in /var/log/snort/snort_xxx with the collected information.  You can get to it by using Diagnostics…Edit File.  Each configured Snort interface has its own uniquely named subdirectory in the /var/log/snort directory.  The physical interface name is part of the directory name, so that should make it easier to find.

Bill

grandrivers

I am too see higher cpu (see attached rrd image) 64 bit 2.1.1 atom d525 and 4G ram seems i get a spike of 100% anytime i hit 5Mbps on cable modem and its worse the worse the cable modem latency gets (been dealing with modem dropping to 1 channel for more than a year) i also upgraded to snorts subscribers rules running balanced policy

.png)
.png_thumb)

Cino

think i found another bug. I have 2 sensors for my WAN, one for blocking and another just for alerting. I've disabled my alerting interface but it still is starting when the service/router is restarted. If I re-save the disabled sensor, it brings it down

bmeeks

@Cino:

think i found another bug. I have 2 sensors for my WAN, one for blocking and another just for alerting. I've disabled my alerting interface but it still is starting when the service/router is restarted. If I re-save the disabled sensor, it brings it down

I think I know what the problem is and will fix it in the next release.  I have the new 2.9.6.0 package almost ready.  Thanks for the bug report.

Bill