Snort GUI slows down after a while - 2.6.0.2.1 and previous version



  • sullrich, i'm loving what you do with snort!!!

    But here's a litte feedback on something that is causing trouble.

    RC3e, snort 2.6.0.2.1, P3-450 256 MB
    I've run snort for 2-3 weeks. Lately I've noticed that the Snort GUI (Snort Settings, Update Snort Rules, Snort Rulesets, Snort Blocked, Snort Whitelist, Snort Alerts) all get extremely slow to use if you get a lot of blocked IPs. After a reboot the Snort GUI slows down to a crawl after a couple of minutes. Tried uninstall etc etc. Nothing helped. top shows that php uses 85-99% cpu for minutes.

    Got another idea - clicked the Clear log button on the Snort Alers-page and then rebooted.
    Right after reboot i can see that there are 16 Blocked IPs. Most of them have n/a as Alert Description and the GUI is fast. But as soon as the n/a get replaced with actual descriptions the whole Snort GUI slows down - but it's not as slow as before. To me it seems that only Snort Blocked should slow down, and just a little bit, if i have a lot of blocked IPs. I'm not saying that 16 is a lot, just that it is noticeable on that level already. Could there be a problem with the php-scripts?

    On my other FW where there are 7-800 blocked ip's continously (seen in previous versions of snort), i don't  dare to click on any of the snort menus any more.

    As i've already said, i really love what you're doing. But if you keep adding (yes, yes, yes) features to snort please consider adding some kind of feature/option that allows users who don't have latest and hottest hardware to keep using snort.



  • When you click "CLEAR" in the Alerts window it restarts both snort2c and snort.

    When you click "SAVE" in the settings screen it also restarts snort.



  • I have added checkboxes for any new features that have been added recently.

    Honestly deleting hosts from the snort blocked screen should not be slowing down the GUI at all.

    Snort settings and clearing the snort alerts screen WILL restart Snort which will slow down the GUI as its restarting.



  • Great sullrich, thanks for adding the checkboxes!

    I'm afraid i haven't made myself clear abot the issue. So i'll make a new attempt
    1. Installed the latest snort about 8-9 hours ago and rebooted
    2. After reboot went to Snort_Snort Blocked. 3 blocked IP's appeared at once
    3. 15 minutes later i clicked on the tab Snort Blocked to update the list - 20 IP's on the list. Update speed not an issue. 20 is about max this FW ever has. Left the PC as is
    4. Caught some zzz's
    5. 8 hours later clicked on the tab Snort Blocked to update the list
    6. Snort GUI hangs
    7. Clicked on Snort Settings with the intention to "unselect" the show descriptions (show links already unselected). Nothing happens, the tab doesn't show up.
    8. The result of the above is that 2 instances of php are running and nothing happens in the GUI

    last pid: 34470;  load averages:  3.50,  3.32,  3.20    up 0+09:06:24  08:59:01
    60 processes:  4 running, 56 sleeping
    CPU states: 96.9% user,  0.0% nice,  0.4% system,  2.7% interrupt,  0.0% idle
    Mem: 159M Active, 26M Inact, 30M Wired, 34M Buf, 27M Free
    Swap: 512M Total, 512M Free

    PID USERNAME  THR PRI NICE  SIZE    RES STATE    TIME  WCPU COMMAND
    31346 root        1 132    0 54308K 28004K RUN    29:36 47.75% php
    1362 root        1 132    0 53172K 26988K RUN    25:55 46.78% php
      635 proxy      1  96    0  8456K  6936K RUN      2:45  0.00% squid
      957 root        1  96    0  2404K  1656K RUN      1:48  0.00% top

    9. I'll leave it running for a while, but i'm pretty sure it will still hang. Then i'll reboot and try it with all options unchecked. But to me it seems like something's wrong (ie not my hardware).

    Hoping that will work, which is ok by me. Just wanted to let you know.



  • I cannot reproduce this.

    Please provide a ps awwux | grep php output during this time.



  • @sullrich:

    I cannot reproduce this.

    Please provide a ps awwux | grep php output during this time.

    I've un-checked all new features. Had to hard-reboot FW some hours ago because i could'nt connect to the console anymore.

    This took about 5-10 seconds earlier.
    llast pid: 15186;  load averages:  3.08,  2.78,  1.68        up 0+03:53:09  23:45:33
    62 processes:  3 running, 57 sleeping, 2 stopped
    CPU states: 95.7% user,  0.0% nice,  2.7% system,  1.6% interrupt,  0.0% idle
    Mem: 146M Active, 12M Inact, 34M Wired, 432K Cache, 34M Buf, 51M Free
    Swap: 512M Total, 512M Free

    PID USERNAME  THR PRI NICE  SIZE    RES STATE    TIME  WCPU COMMAND
    14440 root        1 128    0 49452K 23120K RUN      6:44 47.17% php
    10664 root        1 128    0 46852K 20492K RUN      4:30 46.29% php
      642 proxy      1  96    0  8456K  6936K select  1:13  0.05% squid
    1775 root        1  4    0  1140K  1048K kqread  0:29  0.00% snort2c
    1772 root        1 -58    0 84180K 83572K bpf      0:21  0.00% snort

    root    14440 46.4  9.4 50172 23844  ??  R    11:33PM  6:59.80 /usr/local/bin/php
    root    10664 46.0  8.2 47044 20684  ??  R    10:33PM  4:45.06 /usr/local/bin/php
    root      362  0.0  1.8 36632  4512  ??  Is    7:53PM  0:00.07 /usr/local/bin/php
    root      367  0.0  1.8 36632  4512  ??  Is    7:53PM  0:00.08 /usr/local/bin/php
    root    14470  0.0  1.8 36632  4620  ??  I    11:33PM  0:00.00 /usr/local/bin/php
    root    14471  0.0  1.8 36632  4620  ??  I    11:33PM  0:00.00 /usr/local/bin/php
    root    15229  0.0  0.4  1512  992  p0  S+  11:46PM  0:00.01 grep php



  • You are running out of ram.  Insert more ram?



  • Snort has some performance settings. Did you try low mem already?



  • @hoba:

    Snort has some performance settings. Did you try low mem already?

    So RAM is the culprit. Didn't understand that.
    Dont' know much about ..nix i'm afraid.
    Just looked at System Overview that shows about 62% Memory usage.

    Yes, i'm running Performance: lowmem.
    Have no more RAM i'm afraid. MB only has 2 slots. Already equipped with 2x128MB and i don't have any 256MB's.
    I'll disable some snort rules and maybe uninstall Squid.

    Thanks for your help and sorry to have taken up your time with such an stupid issue! My bad.
    I promise i'll learn all about FreeBSD memory management and status after a short nights sleep, which starts right now (1:30 am) …



  • maybe remove just one of the "memoryhogs". squid and snort both can take some fair amount of ram.



  • I am having the same issue with PHP using ~100% of CPU cycles while having lots of blocked IP addresses. I am running a P3 533MHz w/ 512MB of RAM. When clicking the snort link within the GUI, CPU usage goes to 100% and stays until the page is loaded.

    
    ps awwux | grep php:
    
    root    513  0.0  0.9 36612  4588  ??  Is    8:32AM   0:00.09 /usr/local/bin/php
    root    518  0.0  0.9 36612  4588  ??  Is    8:32AM   0:00.18 /usr/local/bin/php
    root  22772  0.0  0.9 36612  4696  ??  I     1:31PM   0:00.00 /usr/local/bin/php
    root  22906  0.0  0.9 36612  4696  ??  I     1:32PM   0:00.00 /usr/local/bin/php
    root  22923  0.0  0.9 36612  4696  ??  I     1:32PM   0:00.00 /usr/local/bin/php
    root  22963  0.0  0.9 36612  4696  ??  I     1:32PM   0:00.00 /usr/local/bin/php
    
    
    
    last pid: 23346;  load averages:  1.19,  0.50,  0.29                                                                                  up 0+05:05:53  13:37:20
    35 processes:  3 running, 32 sleeping
    CPU states: 94.6% user,  0.4% nice,  4.3% system,  0.8% interrupt,  0.0% idle
    Mem: 133M Active, 10M Inact, 28M Wired, 19M Buf, 322M Free
    Swap: 1024M Total, 1024M Free
    
    


  • If it returns a result after some time that's normal. I tries to use the available cpu power to run the commands to build the pages as fast as it can. Isn't it normal that cpu goes up when the cpu is working?  ::) At least it is normal when it returns a result after some time (depending on your systempower sooner or later). It's not normal if the process keeps at 100% cpu without returning anything after some time but it doesn't sound like you have that kind of issue, right?



  • It is normal.  If you dont want it to associate the blocked alert text with the ip address then disable this feature in the settings page.



  • Woops.  This just happened to me!  I've hopefully fixed the problem.

    Sorry about this!!


Log in to reply