Snort mailing list archives

Re: Snort 1.9.0 taking 100% cpu after a (unknown) while

From: Andrea Barisani <lcars () infis univ trieste it>
Date: Thu, 17 Oct 2002 09:36:16 +0200


Hi to all!

I've got the same problem with the asn1_decode preprocessor, is it enabled in
your configuration? If so it's probably the cause of the problem. I've never
had problems with conversation and portscan2.

I'll try to reproduce the traffic that triggered this behaviour and I'll send
a full bug report as soon as I can.

Bye


On Wed, Oct 16, 2002 at 06:51:14PM -0400, Chris Green wrote:

Max Valdez <max () garaged homeip net> writes:

Hi Snorters.

I'm as glad as everybody to see SourceFire in such a success, and still
giving their work for the comunity. You're a role model Marty!

Well, given said that, I have a little bit of a problem here, I'm
experiencing a fully responsive snort taking 100% of the cpu, I'm about
to test if the fully responsive part is true the next time i see snort
at 100%.

I dont have any background data to get an idea of why snort is doing
that, but i has happend like 3 times since the new version announcement.

My conf is a snort box with mysql enabled, that box runs snort, and
another one logging to it too.

If I restart snort, it comes to normallity. Any other have saw that
behavoir ?


Try disabling portscan2 and conversation and seeing if this does it.
These are the components that aren't really that well tested as of yet.

If it still occurs, try a different output subsystem :)

Cheers,
Chris
-- 
Chris Green <cmg () sourcefire com>
Warning: time of day goes back, taking countermeasures.

------------------------------------------------------------
INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars () infis univ trieste it - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 16)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Chris Green (Oct 16)
  - Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Andrea Barisani (Oct 17)
    - Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- <Possible follow-ups>
- Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
  - Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Martin Roesch (Oct 17)
    - Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)