Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Subscribers 30 subscribers
  • Views 3277 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention (IPS) high cpu usage - Snort

Simplified Sam

Hello,

in our company we got about 60-80 users. Each department got his own vlan running over one port.

XGS2100 (SFOS 19.0.1 MR-1-Build365)

Over the year i was setting up the sopho xg and adding all Firewall rules, like all department are in one zone and got a any rule to our servers with the specific ports needed. (Each server his own rule) . I think i am about 80-85 rules now for evrything. (Yes i am using zones to group the departments atleast.)

Now most of them got ips and the other stuff activated (AV/WEB/APP/IPS/LOG) but even after using the predefined ips rule (LAN TO WAN and LAN to DMZ) in hope to reduce some stress, the cpu usage is still high.

I readed some does not use all this to lan to dmz? is that good? My thinking is, if user gets infected like over mail, and using thang a exchange vulnerability, i got atleast my sophos with ips and zero day, right?

Usally at in break times, but sometimes also between them. You can always see in the Dignostic Graph a high cpu usage. The whole network get than sloppy and sometimes disconects applications, thats hell for running teams meeting and remote sessions.

Under the command "top" i can see multiple process with snort, which has 99 cpu usage, and i see all cpu most of time at 100.

All pattern should be up to date (intervall set to high). Ips Settings max packages 8 is still there.

Now my questions:

Is our sophos to small? Frankly speaking this got worse some months ago maybe at start of september, but maybe when we got the upgrade from version 18.xx to 19.xx.

Can i optimize the ips profiles?

My problem no matter where i look i cant find a good documentation what all categories means (like misc, scan) sure i can click os-windows, or server and client.

Are "clients" only win 10 ? Or does that mean which direction the attack is happening?

If i look at the lan to wan ips template,firstly you see many entrys like OS-windows, then browser, then windows clients and then all clients?? What does that mean all clients? Why are there entries before for windows/linux if i got entry for all clients? Is there difference or is it for the purpose i use it as template and delete what i dont need?

My biggest problem right now is, that i am missing the tools to investigate further, the reporting would be usefull if you could specifc a time, but no you can always do only days.



This thread was automatically locked due to age.
  • 0 in reply to Michael Dunn

    Thanks very much, you solved the perfomance issue, sophos should add quick help there (Grayed out examples)

    if the ^ matches till the first /, would be the ? at end not be useless?

    And at end u wrote ^.*\.sophosxl\.net/ , would be it not be more like ^*\.sophosxl\.net/ 

    If i got right with ^.*\.sophosxl\.net/  it would search after aaaaaaaaaaaaaaaaaaaaaaa.sophosx.l.net and evry other combination, instead cutting of the string at beginngen and match only the end part.

  • 0 in reply to LuCar Toni

    Thanks for the clarification that snort is much more. I just rejeceted your answer because support is not always the way to go.

    I tried it with support and it was horrible expierence. I dont speak english on daily basis, but have no problem reading/writing or watching videos, but the phone quality with my the two supporter people was horrible. The first guy just started a logging process, and said call them back later if it happens again. The secound basically just checked evrything is running and checked most common problems to the topic, which i could find on the forum.

    After that he send whole putty log over to the senior engineer, who looked more deeply but also suggested a fast wimp like disabling ips and adding on web exception \ before a dot  (Even if i had it on all exceptions).

  • 0

    We also see this problem since the migration from v18.5.2 to v19.0.1.

    Here there are spikes up to 95% of Snort, incl. garner problem since upgrade.
    [garner] konstant 30% CPU, resolve Cache error


    A solution should be found quickly here.
    Latency-critical applications like VoIP already have their problems here, even from 80% CPU load of the FW.


  • 0 in reply to Simplified Sam

    When we first saw customers having performance problems with exceptions and tls exclusions I wrote KB-000043654 with the catchy title "Sophos Firewall: Exclude a website from TLS inspection" to explain the performance impacts.  The focus was on how to exclude, not how to diagnose performance issues.  When I have some spare time I am trying to write a new article that will have some of the same information but specifically about (and titled) high cpu in snort.  Right now I am working on collecting several different causes that have come through escalations.  Question: should I include the "why", such as the examples I wrote above?  Usually KB are more about the answer ("write all your regex in this style") then explaining why the answer is correct.

    You are correct about the teamviewer example.  I had just cut and paste it out the XG without thinking about it.  Offhand I do not know why we wrote it like that, It might be that some teamviewer things do weird but valid stuff like server.teamviewer.com:80/foobar.  I would agree that newly written ones should not have an ending ? (which makes the slash optional).  The Microsoft example is a better one.

    Sophos maintains several different servers and subdomains, such as gw.sophosxl.net primary.wing.sophosxl.net.  The RegEx as written will match all subdomains but not the main domain (where we never have a server).

    To parse the regex I used in the example.

    ^.*\.sophosxl

    ^ matches the beginning of string
    .  matches any character
    * means the preceding thing can match zero-to-many times
    \ next character is a literal
    . is a literal period if there was a slash (or any character if no slash)

    So...
    ^ beginning of string
    .* any number of any character (including slashes)
    \. literal period

    ^*\. is what you asked about, which is "any number of beginning of string" which is not what you want.

    The actual RegEx we use is
    ^[A-Za-z0-9.-]*\.sophosxl

    ^ beginning of string
    [A-Za-z0-9.-]* any number of any valid fqdn character (not including slashes)
    \. literal period (not optional)

Unfiltered HTML