Snort takes too heavy process at Bridge Mode (Not used IPS in any rule)

Update: This problem is not just bridge mode. gateway mode is same.

Harim,

let us know the answer/status.

Thanks

Suggest test setting is 8~10

Default is 80.

I set mine to 10, took about 2 minutes to implement and caused the cpu to peak at 26%, normally sits around 4% on a quad core e3.

On v15 the max_pkts was set to 8 by default and during the course they adviced to do not change it. Anyway ips seems to have some performance issue on v16.

Please contact Sachin. See this thread:

And let us know.

Regards

On v15 the max_pkts was set to 8 by default and during the course they adviced to do not change it. Anyway ips seems to have some performance issue on v16

On v16's default value of the maxpkts is 80. [:(]

Hi !

Do you believe that issue(cause) is simple as this (maxpkts 8 raised to 80 in v16) and sophos support/engineers cant resolve it for more than a month ? (in our case)

Im asking because maybe you have more experience with sophos and its support.

Aleks

Aleks,

I am more than convinced that it is a bug and they have to find out how to fix it.

The bug appears only on some system. The Max_packets was set as 8 on v15 and they changed on v16.

So we need to wait for an official answer from Sophos.

This issues occurs on all 3 AMD machines i have it installed to. The other 2 Intel machines do not present this issue.

Ady San good catch yours!

So it seems a compatibility issue with AMD CPU/Chipset.

Did you open a ticket with Support?

Hi Luk,

My customer has similar snort issue, and open a ticket about 1 month later.

But support team doesn't have solution yet...

I want to ask you, how to determinate the CPU/Chipset Type on a XG125 appliance?

Thanks for your help~

Shunze

I want to ask you, how to determinate the CPU/Chipset Type on a XG125 appliance?

If you SSH into appliance and open advance shell you can type dmidecode to output process information.

My appliance has AMD G-T30L processor and also having high snort CPU issue.

I want to ask you, how to determinate the CPU/Chipset Type on a XG125 appliance?

If you SSH into appliance and open advance shell you can type dmidecode to output process information.

My appliance has AMD G-T30L processor and also having high snort CPU issue.

XG125 seems to have an i5 CPU (very impressive Sophos!)

So unfortunately, this is not CPU family related.

We had been running an XG125 with the IPS service stopped for nearly 3 weeks, and on Friday it tried to start itself again, getting stuck in the Start/Stop loop and using 100% CPU on the appliance. Using pkill etc. just made it start the process again. In the end we had to reboot the appliance to resolve the start/stop loop.

HI All,

I may have a Work aournd  by changing the IPS settings , 

Default IPS settings

stream on
lowmem off
maxsesbytes 0
maxpkts 100
enable_appsignatures on
http_response_scan_limit 65535

Run Commands on Console 

set ips maxsesbytes-settings update 8192
set ips maxpkts 8

IPS settings after changes 

-------------IPS Settings-------------
stream on
lowmem off
maxsesbytes 8192
maxpkts 8
enable_appsignatures on
http_response_scan_limit 65535

 This should help 

Oh by the way - I did the fixes earlier in the thread which didn't help:

set ips maxpkts 8

console> system application_classification off
Microapp discovery is also turned off because it is dependent on this feature.

However, I'll add on 'maxsesbytes 8192' as a further test

just curious - this issue wasn't here in v15.

Question : why devs in sophos cant "diff v15 v16" ? Its a damn linux with a damn snort on it, no black magic involved.

If snort version was upgraded - rollback, if snorts conf changed - rollback, if **** > rollback

Actually - I did have a look at the Appliance that I managed to rollback to v15 - I took a look at the processes - I noticed that it was "snort_inline" compared to just "snort" in v16 this seems like quite a major change.

HI Dave, 

If the application classification is turned off, then it would not identify which application is processed . No Doubt this will reduce the SNORT load but you may need to reconsider when you are using application filter .

Indeed a major change. Im not familiar with all the changes happened with snort and snort_inline because i only used/use "Suricata", but I can assume that it could be anything starting from libipq > libpcap (if we are talking about sophos changed snort_inline for snort)