L2TP/IPsec and Snort CPU utilization



  • Snort goes off the charts (e.g. 90% CPU utilization) when I've got a throughput-heavy connection going (e.g. watching a YouTube movie at 720p) through a L2TP/IPsec VPN. I'm assuming it's slamming its head against the heavily-encrypted traffic going through the WAN connection on its way out to the client. Is there a safe/sane way to exclude this traffic from Snort monitoring?

    UPDATE: I thought maybe Snort's default home net wasn't "smart enough" to include the L2TP IP address range. I created a pass list with that subnet and all the other defaults and set it as my home net. Unfortunately, this doesn't seem to have changed the situation.



  • The CPU utilization problem is more likely caused by the IPsec decryption of that video stream.  Snort can't decrypt that traffic to actually look at it.  Snort puts your WAN interface into promiscuous mode, so it will then see any traffic crossing the interface.  With NAT, I prefer to run Snort on the LAN.  That might help in your case, but it depends on your network and what you are protecting behind the various interfaces.

    When you have this spiking problem, have you tried stopping Snort and seeing what happens to CPU utilization then?

    Bill



  • @bmeeks:

    The CPU utilization problem is more likely caused by the IPsec decryption of that video stream.  Snort can't decrypt that traffic to actually look at it.

    Isn't that what I said? LOL

    @bmeeks:

    Snort puts your WAN interface into promiscuous mode, so it will then see any traffic crossing the interface.  With NAT, I prefer to run Snort on the LAN.  That might help in your case, but it depends on your network and what you are protecting behind the various interfaces.

    Ahh, that makes sense. I might try that.

    @bmeeks:

    When you have this spiking problem, have you tried stopping Snort and seeing what happens to CPU utilization then?

    Sure, the "snort" process in `top' that shows 90% CPU utilization goes away. As one might expect.  :P


Log in to reply