Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 32 subscribers
  • Views 4020 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort CPU util on 17.5.6 MR6

James Lemon

Hi All,

Since upgrading to 17.5.6 MR6, we started to have users complaining about slow website access times. We currently have two XG 330 rev 2 in a HA active/passive config.

I created a HTTP/HTTPS bypass rule for the transparent proxy, showed a massive improvement in website access times. This was a single rule selecting my machine as IP, adding subsequent machines to this rule during peak load times, also showed an improvement in website access times.

I then went back to our two internet access rules for outbound for our org, and removed HTTP scanning, immediately the CPU dropped from 70% to around 20% util. Now we have NO http scanning rules setup on any of our rules, yet I am still seeing snort cpu util is pegged.

What gives?



This thread was automatically locked due to age.
Parents
  • 0

    Just an update, a forgot to do ***-I in top, because it's a multi-core CPU. It's still high but, and I'm wondering why it's still right on the top with no HTTP scanning enabled? Also would I benefit from having both XG's in active/active?

    Cheers.

  • 0 in reply to James Lemon

    Hi JL

     

    I wonder, what your IPS settings are ? Please post the output from the devcice console for "show ips-settings" - like I did below (Rev1. XG125 Appliance)

    console> show ips-settings
    -------------IPS Settings-------------
            stream on
            lowmem off
            maxsesbytes 0
            maxpkts 8
            mmap off
            enable_appsignatures on
            mmapfilepath var
            http_response_scan_limit  65535
            search_method hyperscan
            sip_preproc enabled
            sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
     1  0
     2  1

     

    And also which hardware you use. Obviously some Quadcore CPU with 12Gigs of Mem - Do you have a exact CPU type ?

     

    /Sascha

Reply
  • 0 in reply to James Lemon

    Hi JL

     

    I wonder, what your IPS settings are ? Please post the output from the devcice console for "show ips-settings" - like I did below (Rev1. XG125 Appliance)

    console> show ips-settings
    -------------IPS Settings-------------
            stream on
            lowmem off
            maxsesbytes 0
            maxpkts 8
            mmap off
            enable_appsignatures on
            mmapfilepath var
            http_response_scan_limit  65535
            search_method hyperscan
            sip_preproc enabled
            sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
     1  0
     2  1

     

    And also which hardware you use. Obviously some Quadcore CPU with 12Gigs of Mem - Do you have a exact CPU type ?

     

    /Sascha

Children