Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 131716 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.2 snort high cpu even with None in policy

CyberA

Not sure if this is related to 16.01.2, or some pattern update, but shortly after I updated on 11/29 my CPU usage has more than doubled with no changes to configuration other than the 16.01.2 update (and probably some behind-the-scenes pattern updates).

 

 

I didn't even know the CPU was under load until the effects yesterday 12/7 when my traffic was screeching slow. When I logged onto the console snort was taking 100% CPU!

I checked a few links from the board and found my maxpxts was 80 so I adjusted that to 8 which has helped a lot keeping snort to around 60-70% CPU but the system is definitely running hotter than usual (compare to the previous SFOS 16.01.1).

It also seems like vlan routing (zone-to-zone) policies influence snort (some sort of pre-filtering?) even though IPS policy for that rule is set to None. Is there a way to exclude pre-filter snort traffic if the rule defines it as none?

Thanks



This thread was automatically locked due to age.
  • 0 in reply to sachingurung

    Case 6697114

    I dont think that I need help with this case :) I think your L1 support need help with it.

    I only need proper firmware update in stable-brach (not development, im not hired by sophos for tests) which will solve my problem with IPS

    p.s. from my perspective the cause is simple (i can be wrong of course) - there was massive IPS core update when you switched from v15 to v16 and new IPS version doesnt work 'well' with most of entry XG boxes + for most of ppl who doesnt run live traffic (like voip or video conference) there is no problem because there is no situation when they can experience it.

    Thanks

     

    Regards,

    Aleksandr

  • 0 in reply to sachingurung

    Thanks,

    I have created a new thread and I will PM you as well.

  • 0 in reply to AleksandrIvanov

    Hi,

    i am running CR50iNG (SFOS 16.05.1 MR-1) and i am not facing any issues with SNORT or high CPU currently. We also have voip and video calls. 

    I had issue before month or two with snort and high CPU, but it was coming from WEB policies. I noticed the issue after our cron runs apt-get upgrade, on the linux box apt-get will  loop trying to download its updates, because one of the  WEB policies (i think it was heavy bandwidth browsing), which affected the host, stopping it from downloading the update file (at the end of the download), and caused download loop on the linux server and high load on XG device, snort was hitting 100%. But after fixing the web policies, this problem was gone.

    I also can confirm those PING latency spikes from time to time (each 5-10 min), coming from behind the XG, but with DSCP there isnt any noticeable issues with voip. And i dont have IPS on the RTP traffic, only for SIP.

  • 0 in reply to Bonch Merdzh

    Hi,

    Could you please let us know how many concurrent devices and how much bandwidth is passing through?

    Thanks,

    R.

  • 0 in reply to ShunzeLee

    I dont think the graphs shows the correct usage.

    For example if you hit 100% CPU load and you are seeing this on Live or 24h, or 48h - OK, but if u try to view it on Week or Month, the 100% load will not show(even if you had this load for hours, it will not show for sure!).

    But as far as i know this will be fixed in the next 17. release.

  • 0 in reply to Remigio Lam

    Hi,

    I am using 3 different ISP providers. 40 voip stations, 40 win boxes, 20 linux. Bandwidth showing for voip interface on the XG, min - 0.2 Mbps, avg- 0.5 mbps, max 1 Mbps (but is 1 Mbps because i still have some servers coming out from this port). I have shaping on everything, on the apt-get itself for example. 

    And i dont see any CPU spikes. Sorry but my bandwidth graphs on XG are not currently showing.

  • 0 in reply to Bonch Merdzh

    Thanks.

    In my case, 3K+ devices and > 1.2 Gbps., the XG-430 works fine with < 250 Mbps, used exclusively for IPS in bridge mode, after that it just starts dropping packets (yes, that is what I see in the logs). We bought the XG-430s (yes, more than one) and the very expensive 10Gbps OEM SFPs and were told that they could push around 9Gbps (not that I believed that, but seriously, less than 250 Mbps...!, with the IPS rules disabled)

    R.

  • 0 in reply to Remigio Lam

    Yes, i am sorry, you were all right. I have tried both, first with selected IPS rules and then with IPS set to None.

    I opened at the same time 100 tabs in chrome, Snort process will go beyond 50-60%CPU to 80-100%CPU, icmp latency towards all my GW on all interfaces will reach 1000-3000ms. voip is unusable.