Snort 100%



  • I don't know if this is specific to snort.

    But my internet became really slow. i could still drill for domains but get a high MS count  600+ ms on the look up but sites would not load. Could not even get into pfsense webui.
    my modem was still running normally. But after a min of 5-10 i guess the modem did reset or went offline  from all green to no activity/ red/orange meaning no internet. I first did remove the power from my modem. and did a restart of the router because not sure if it was cause of the router that the modem did reset. after i put the modem on power again it worked again all green. Router did got a IP but i could not enter the webui i did check via the console/ssh and it shown a wan IP. So i did a TOP and shown shown snort Wcpu at 100% 2x. once on the wan interface and 1 lan interface i have snort running on both.
    So did another router restart while the modem was online again. and this time the router didi restart faster and everything worked again.

    when i check Top again i see that snort still takes 2x 100% cpu. i disabled snort on lan and 1x 100% was gone  disabled snort on wan and the other 100% was gone.

    When i enabled it again only on wan interfance it went to 100% again and is still at 100% after 20 min.

    is it possible PFsense "killed" my internet? when i restarted it worked almost instantly again.

    2.2.4-RELEASE (amd64)
    built on Sat Jul 25 19:57:37 CDT 2015
    FreeBSD 10.1-RELEASE-p15

    You are on the latest version.
    Platform pfSense
    CPU Type Intel(R) Celeron(R) CPU J1900 @ 1.99GHz
    4 CPUs: 1 package(s) x 4 core(s)

    snort 3.2.8



  • A couple of possibilities.  First, if your modem restarts or your WAN IP toggles for some external reason, the pfSense packages get a "reload" command.  This will cause Snort to rescan all the enabled rules.  This can be CPU intensive depending on the number of rules you have enabled and how much horsepower your CPU has.  Second, it is possible for duplicate Snort processes to get kicked off as a result of the WAN IP toggling rapidly.  I put some checks in the scripts to try and prevent this, but they are not perfect and sometimes a duplicate process will get kicked off anyway.

    Bill



  • @bmeeks:

    A couple of possibilities.  First, if your modem restarts or your WAN IP toggles for some external reason, the pfSense packages get a "reload" command.  This will cause Snort to rescan all the enabled rules.  This can be CPU intensive depending on the number of rules you have enabled and how much horsepower your CPU has.  Second, it is possible for duplicate Snort processes to get kicked off as a result of the WAN IP toggling rapidly.  I put some checks in the scripts to try and prevent this, but they are not perfect and sometimes a duplicate process will get kicked off anyway.

    Bill

    it wasnt really a duplicate 1 was for the wan interface and 1 for the lan. i have rules on both.

    but is it possible that snort/pfsense killed/slowed down my connection badly
    i was getting gateway problems when i checked like gateway down like 5 min before the modem even went offline but i was still connected to the internet i was still on IRC and could chat but i could not reach any website at all. and gettin on the admin of pfsense was hard also.



  • Its most likely not related but ive had one of my Snort box go strange like this in the past 24h. Unexplained. Did nothing new to it, but it suddently increase latency / processing delay and mem usage. I have yet to investigate it further, but ive seen some thing similar in the past when Snort was vulnerable to a buffer overflow / scapy attack. Then again, why just one box out of 4-5 i monitor ? And it was a linux box, so most likely a snort problem than a pfsense…Who knows we might read it in the news in the next couple of days... or its just pure coincidence...

    F.



  • Same here.
    After Update to 2.2.4-RELEASE (amd64/i386)  Snort (3.2.8)  goes Up to 100% CPU and also the Memory is going high. I changed also for a test the settings (Search Method aso. ..)  But nothing happen - after a short time the CPU and Mem going high.

    I thought that is a Hardware-Problem, so i switched to the second-system (carp). But there goes the CPU/Mem also high.

    At the 2.2.2 the problem was not visble.