Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Am I asking too much of an SG-3100?

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SFmedia
      last edited by

      I have an SG-3100 at my home office running 2.4.4

      It's running a number of services:

      • pfBlockerNG (devel)
      • Snort (on LAN and DMZ/OPT) with limited Snort Subscriber and ET Open Rulesets (search method is AC-BNFA)
      • ALTQ Traffic Shaping (HFSC on all three interfaces)

      The connection is an asymmetric 200/50.

      I'm almost continuously pegging 100% CPU even when my connection is only in moderate use.

      We have about 30-40 devices/servers/services/clients on the LAN and about 20 services (as unique private IPs) on the DMZ.

      Previous to the SG-3100 I had an old dual-core Celeron box running PFSense. While it seemed CPU was about the same I had a lot more RAM so I could run Snort with alternative search methods.

      Long story short, am I asking too much of the SG-3100?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It would be helpful to know what is consuming the CPU.

        Diagnostics > System Activity might show interesting data as might top -aSH from the shell. You are looking for high CPU usage on anything except the idle processes.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        S 1 Reply Last reply Reply Quote 0
        • S
          SFmedia @Derelict
          last edited by SFmedia

          @Derelict

          Snort @ ~95% for just 50mbit/s of TCP traffic (rclone operation) at the moment. (this is 95% on one of the cores in the box)

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @SFmedia
            last edited by bmeeks

            @SFmedia said in Am I asking too much of an SG-3100?:

            @Derelict

            Snort @ ~95% for just 50mbit/s of TCP traffic (rclone operation) at the moment. (this is 95% on one of the cores in the box)

            That CPU utilization seems a bit high for just 50 mbits/sec of traffic. Check and make sure that you don't have any duplicate Snort processes running on the box. That can sometimes happen if some things outside of Snort's control happen in rapid succession. Several firewall events trigger a "restart all packages' command from pfSense. If two or more of those "restart all packages" command happen in very quick succession, or if one happens to be issued while Snort is restarting from a rules update, you can wind up with more than one Snort processing running on the same interface.

            Here is how to check if you have that issue. Run this command from a shell prompt on the firewall:

            ps -ax | grep snort

            You should see exactly one Snort process per configured Snort interface. If you see any lines that match each other exactly, then you have a duplicate process. To get rid of the duplicate process, either reboot the firewall or perform these steps:

            1. Within the GUI, stop all of your Snort interfaces.

            2. Return to the shell prompt session and repeat the earlier command to list the Snort processes.

            3. If you see any running Snort processes listed, kill them using this command at the shell prompt:

            kill -9 <pid>

            where <pid> is the process ID for the running Snort process.

            1. Return to the GUI and restart your Snort interfaces.

            If you had multiple processes, then clearing them out should result in your CPU utilization coming down.

            S 1 Reply Last reply Reply Quote 0
            • S
              SFmedia @bmeeks
              last edited by SFmedia

              @bmeeks Thanks!

              Sadly I only see one snort process per interface

              96150  -  RNs   390:10.81 /usr/local/bin/snort -R 3474 -D -q --suppress-config-log -l /var/log/snort/snort_mvneta13474 --pid-path /var/run --nolock-pidfile -G 3474 -c /usr/local/etc/snort/snort_3474_mvneta1/snort.conf -i mvneta1
96513  -  SNs    10:06.50 /usr/local/bin/snort -R 34922 -D -q --suppress-config-log -l /var/log/snort/snort_mvneta034922 --pid-path /var/run --nolock-pidfile -G 34922 -c /usr/local/etc/snort/snort_34922_mvneta0/snort.conf -i mvneta0

              I have the rules limited to the following:
              IPS Policy "Connectivity" using the VRT Subscriber Ruleset

              And the following ET Open rules:

              • Mobile Malware
              • Trojan

              Other options that depart from defaults:

              • LAN Preprocs: Auto Rule Disable (Enabled/Checked)
              • Disabled the Telnet, FTP, POP3 and IMAP Preprocs (no need for the first three and I don't care that much about IMAP either).

              Oddly, none of the changes away from the defaults change the usage that much in any direction.

              The current usage is a large B2 (the S3 clone) upload, so a few TCP connections from a FreeNAS server.

              last pid: 73590;  load averages:  1.60,  1.74,  1.77                                                                                                                                                                                                                                up 1+20:51:05  19:23:05
56 processes:  2 running, 54 sleeping
CPU:  4.3% user, 64.0% nice,  8.7% system,  6.5% interrupt, 16.5% idle
Mem: 142M Active, 290M Inact, 208M Wired, 80M Buf, 1348M Free
Swap:

  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
96150 root          2 121   20   125M   103M CPU1    1 395:35  94.56% snort
              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                Hmm... that's not a lot of rules in the big scheme of things. Surprised usage is that high. Is Snort your only package? And is that CPU utilization sustained or spikes up and down?

                I have an SG-5100 running more or less the same rules and I just checked my firewall and am seeing 1% CPU utilization. Of course at the moment not much is happening on my network. Even so, I've never seen a spike that high.

                1 Reply Last reply Reply Quote 0
                • S
                  SFmedia
                  last edited by SFmedia

                  @bmeeks Indeed. Last week I started reducing rule-sets in an effort to see if I could change the behavior - but oddly, it seems to do little. Reboots, rule changes, etc. There is little to no change.

                  In fact, a few months ago I had to switch back to Snort from Suricata, as not only was the usage equally out of control, I was suffering freezes/reboots randomly.

                  I tried to use AC-STD as a search method on one interface but there's not enough RAM to load even a basic ruleset the firewall kept becoming unresponsive.

                  1 Reply Last reply Reply Quote 0
                  • S
                    SFmedia
                    last edited by

                    In an even stranger twist, I decided to see what if I just maxed out my connection.

                    So I decided to try to sync a massive Google Drive share (~55GB) while continuing the NAS rclone operation while also using the web regularly and streaming some HD video at the same time.

                    In addition to that other traffic on the network includes a number of servers and services.

                    Running my connection at full tilt (200 in, 50 out), with ALTQ keeping things moving, the LAN interface Snort process is only using between 60% and 80% CPU.

                    I really don't understand what's up.

                    1 Reply Last reply Reply Quote 0
                    • I
                      iqjet
                      last edited by

                      I won't open a new topic, but I do have a similar problem with a I5 5250U processor. I have enabled Snort for WAN (igb0) with the Inline IPS Mode and selected the Connectivity mode. In addition I added Malware mobile Malware and Trojan in the conf file. I checked the Malware and Trojan, everything has been selected to Block status.
                      Only 2 further packet are installed, pfblocker and acme. When checking my line speed with active snort, I received something like 400.000 MBits, without snort full I was back to 1000000MBits. During speedtest and active and inactive snort the cpu load was about 80%
                      Looks like that the Inline Mode is eating some speed.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.