Snort services cpu limit
-
Hi,
The snort service uses a lot of cpu and this prevents pfsense from running efficiently.
How can I put a cpu limit on the serviceThanks.
-
@SpaceXTexnologiya Perhaps a question best asked under the IDS/IPS section...
Neverthelss, I don't think you can limit the amount of CPU it uses, unless it's somehow possible to bind it to a specific core?
If you run it in Inline mode you could try changing to Legacy mode to see if that gives you a bit more throughput. Also you can limit the rulesets you use, and remove those not needed... -
@SpaceXTexnologiya said in Snort services cpu limit:
Hi,
The snort service uses a lot of cpu and this prevents pfsense from running efficiently.
How can I put a cpu limit on the serviceThanks.
The Snort binary offers no options for CPU control. Snort 2.9.x used on pfSense is a single-threaded process.
As suggested, trim down your rule set. You don't mention what hardware you are using, but sounds like based on your description that it may not be powerful enough to run Snort with your current configuration.
-
@bmeeks hi,
thank you for reply,
Could snort service be the cause of pfsense freezing?
my virtualization environment is hyper-v
pfsense running with 10 GB memory and 12 cores -
@SpaceXTexnologiya said in Snort services cpu limit:
Could snort service be the cause of pfsense freezing?
I doubt Snort is the cause, but it is extraordinarily easy to test the hypothesis -- simply stop the Snort service for a day or two and see if the "freezing" still occurs. If it does not, then Snort was the likely cause. If "freezing" continues, then Snort is not the cause.
-
@SpaceXTexnologiya said in Snort services cpu limit:
pfsense running with 10 GB memory and 12 cores
Wow, that is a lot of resources for pfsense! I guess you have quite a lot of traffic then?
I'm also running virtualized but only give my firewall 8 GB RAM and 4 cores (i5 11400). I have been testing on a smaller machine with an i3 n305 and get about the same performance there (around 8 Gbit max), if I pass through the NIC's.
I run Suricata not Snort, which probably shouldn't matter, but I run it in legacy mode... -
Right probably the hvevent interrupt storm that some people are reporting. Depending on what pfSense version you're running in which hyper-v version.
-
@stephenw10
Which version is more stable? For Hyper-V environment -
Which pfSense version? As far as know (since I don't run hyper-v) the issue affects anything built on FReeBSD 14 or newer. So that means you'd ned to go back to 2.6 to be unaffected.
-
@stephenw10 said in Snort services cpu limit:
Which pfSense version? As far as know (since I don't run hyper-v) the issue affects anything built on FReeBSD 14 or newer. So that means you'd ned to go back to 2.6 to be unaffected.
I am using pfsense version 2.7.2 on hyper-v
-
@SpaceXTexnologiya said in Snort services cpu limit:
@stephenw10
Which version is more stable? For Hyper-V environmentI guess there is the option to use another hypervisor, like Proxmox...
