Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort high cpu usage

    IDS/IPS
    2
    6
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikekoke
      last edited by mikekoke

      Hi everyone, lately I have noticed a high usage of the cpu and doing some tests I discovered that it was snort.
      I have a 100/20 connection and when I unload at maximum snort it gets to use 80% and more of the cpu (fx6300 @ 4.2Ghz). A few months ago I had done some similar tests and I'm sure that with the download at maximum snort uses 30% - 40% of the cpu.
      I have Snort both on the wan and on the lan and I noticed that during a download via Utorrent the interface on the lan was at 75% while the one on the wan was at 16%, but during a speetest both interfaces were at 70%.
      In both the before and after tests, almost all the rules were activated (Snort, Snort Community Rules and ET Rules) and I'm running snort in Legacy Mode.
      I don't understand why it has such high usage now.
      If anyone has had similar problems and any ideas on how to help me thank you.
      pfSense 2.4.5-RELEASE-p1
      Snort 4.1.2_2

      1 Reply Last reply Reply Quote 0
      • M
        mikekoke
        last edited by mikekoke

        EDIT: After creating a new interface and adding the exact same options as the original lan interface (rules, etc ..) the cpu usage while downloading the file with utorrent dropped from 70% to 20% as it always has been and even the downloads from sites do not exceed 25% on both interfaces (I don't understand what the problem was); the only problem that remains is that if I do a speedtest with ipv4 the usage still increases to 70% on both interfaces.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by bmeeks

          You may have had duplicate instances running on the same interface. That can happen under some rare circumstances, especially if an external event like your WAN IP cycling causes pfSense to issue the "restart all packages" command several times in quick succession. When the planets align, that can result in two instances of Snort running on say the LAN or WAN, both configured the same and both consuming CPU and RAM.

          You can check for this from a shell prompt on the firewall by issuing this command:

          ps -ax | grep snort

          You should see exactly one running Snort instance per configured interface. If you see duplicates, then you have found the problem and will need to kill the extra processes.

          M 1 Reply Last reply Reply Quote 0
          • M
            mikekoke @bmeeks
            last edited by mikekoke

            @bmeeks
            Hi, thanks for the help, but even after restarting pfsense the problem has not been solved and when carrying out a speedtest online or from some app the two snort interfaces (lan and wan) reach 80%. I also tried reinstalling the package but it didn't work.

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @mikekoke
              last edited by bmeeks

              @mikekoke said in Snort high cpu usage:

              @bmeeks
              Hi, thanks for the help, but even after restarting pfsense the problem has not been solved and when carrying out a speedtest online or from some app the two snort interfaces (lan and wan) reach 80%. I also tried reinstalling the package but it didn't work.

              But your second post said creating a new interface solved your issue. I assumed from that you meant you deleted the first one and created it again. The deletion process will kill running processes.

              You also state you are running lots of rules ("almost all the rules were activated" you said). That is going to chew up a lot of CPU time. You don't say what type of network you have, but I assume its your home LAN. There is very little need for many Snort rules on a home network. There are large chunks of the available categories that are not applicable at all to a home network.

              If you don't like the CPU utilization, you have three options available to you.

              1. Get a much beefier CPU. A higher clock speed is better than more cores since Snort is single-threaded.

              2. Reduce the number of enabled rules to more realistically match the actual threat exposure your network has. Unless you run a mail server, you don't need the POP3, IMAP or SMTP rules. If you don't run a public-facing DNS server, you don't need any DNS server rules. If you don't run a public-facing web server, you don't need any of the web server rules. And there are other examples as well.

              3. Uninstall the Snort package. To be honest it really provides only marginal benefit for most home networks, Most especially because the vast majority of traffic today is encrypted SSL or TLS and thus Snort can't peer into the packet payloads anyway.

              M 1 Reply Last reply Reply Quote 0
              • M
                mikekoke @bmeeks
                last edited by mikekoke

                @bmeeks
                Hi, thanks for all the advice, I will definitely remove some rules that are not used. As I said, the problem has been solved with regard to downloads via sites and via torrents, but if I perform a speedtest from speedtest.com for example, the use of the two interfaces reaches 80% and this did not happen before. Basically, now the problem appears only during a speedtest and I don't understand what can cause it since the same amount of bandwidth of the speedtest is also used to download with torrent and in this case snort uses a maximum of 30% of the CPU per interface.
                Edit: Even when I only set the Policy to Balanced and without ET and Community Rules snort uses 40%.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.