Snort with OpenVPN Client uses 100% CPU

athurdent

Hi,

first of all, many thanks to bmeeks and the other IDS/IPS contributors. I'm just getting started with Snort and the package works great so far.
One thing I noticed while testing my new setup is that Snort seems to use 100% CPU when I transfer something big to my home while connected via VPN client. This is during a 15 MB/s transfer via WAN1:

last pid: 74009;  load averages:  1.96,  1.17,  0.57                                                                                   up 0+21:02:28  13:02:53
214 processes: 12 running, 138 sleeping, 64 waiting
CPU: 18.1% user,  0.0% nice,  2.9% system,  4.7% interrupt, 74.3% idle
Mem: 127M Active, 1265M Inact, 330M Wired, 356K Cache, 419M Buf, 6146M Free
Swap: 16G Total, 16G Free

  PID USERNAME PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
84804 root     103    0  1190M   628M CPU7    7  13:31 100.00% /usr/local/bin/snort -R 28436 -D -q --suppress-config-log -l /var/log/snort/snort_igb128436 --p
   11 root     155 ki31     0K   128K CPU0    0  19.6H  91.89% [idle{idle: cpu0}]
   11 root     155 ki31     0K   128K CPU4    4  19.9H  89.06% [idle{idle: cpu4}]
   11 root     155 ki31     0K   128K RUN     6  19.8H  83.69% [idle{idle: cpu6}]
   11 root     155 ki31     0K   128K CPU2    2  20.0H  80.96% [idle{idle: cpu2}]
   11 root     155 ki31     0K   128K CPU5    5  19.8H  78.56% [idle{idle: cpu5}]
   11 root     155 ki31     0K   128K RUN     3  20.4H  76.27% [idle{idle: cpu3}]
22391 root      91    0 21728K  5788K CPU6    6   6:10  67.29% /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
   11 root     155 ki31     0K   128K RUN     1  19.8H  63.67% [idle{idle: cpu1}]
   11 root     155 ki31     0K   128K RUN     7  19.8H  53.17% [idle{idle: cpu7}]

I have a MultiWAN with 200Mbit and 50 Mbit WANs, and even when using the slower 50Mbit WAN OpenVPN takes 100% on one core.
The OpenVPN Server is UDP on a random high port, not 1194. It's listening on 127.0.0.1 and uses Port Forwards as suggested in the Wiki for MultiWAN. AES-NI support is off.

Snort is configured to only log and I have turned on nearly every preprocessor as suggested in the setup guide (OpenAppID is on, too.). I am using it on the WAN interfaces and not on LAN. It uses the free feeds from Snort (with free OINK code, set to Security) and the Emerging List (turned on most of the rules). I know this might be too much, but a 200MBit HTTP download from my LAN makes Snort use 37% on one core, so it seems to be OK for now. I also use a small suppress list found in the forum.
Anyone else seeing this?

athurdent

As I know and trust most of my OpenVPN client IPs, I think it could be a good idea to just ignore them completely.
It seems to be a good idea to do this via

config bpf_file

as described here
https://netsecsupport.wordpress.com/2014/07/14/snort-ignore-traffic-with-a-bpf/

I did not find a GUI option for this, I guess I need to implement this manually with my own file and the "Advanced configuration pass-through" option?

bmeeks

Using the ADVANCED PASS-THROUGH option would be the mechanism for using that config directive.  You will find that on the INTERFACE SETTINGS tab for the specific interface.

Bill