SFOS 16.01.2 snort high cpu even with None in policy

Not sure if this is related to 16.01.2, or some pattern update, but shortly after I updated on 11/29 my CPU usage has more than doubled with no changes to configuration other than the 16.01.2 update (and probably some behind-the-scenes pattern updates).



I didn't even know the CPU was under load until the effects yesterday 12/7 when my traffic was screeching slow. When I logged onto the console snort was taking 100% CPU!

I checked a few links from the board and found my maxpxts was 80 so I adjusted that to 8 which has helped a lot keeping snort to around 60-70% CPU but the system is definitely running hotter than usual (compare to the previous SFOS 16.01.1).

It also seems like vlan routing (zone-to-zone) policies influence snort (some sort of pre-filtering?) even though IPS policy for that rule is set to None. Is there a way to exclude pre-filter snort traffic if the rule defines it as none?


  • In reply to Remigio Lam:


    I am using 3 different ISP providers. 40 voip stations, 40 win boxes, 20 linux. Bandwidth showing for voip interface on the XG, min - 0.2 Mbps, avg- 0.5 mbps, max 1 Mbps (but is 1 Mbps because i still have some servers coming out from this port). I have shaping on everything, on the apt-get itself for example. 

    And i dont see any CPU spikes. Sorry but my bandwidth graphs on XG are not currently showing.

  • In reply to Bonch Merdzh:


    In my case, 3K+ devices and > 1.2 Gbps., the XG-430 works fine with < 250 Mbps, used exclusively for IPS in bridge mode, after that it just starts dropping packets (yes, that is what I see in the logs). We bought the XG-430s (yes, more than one) and the very expensive 10Gbps OEM SFPs and were told that they could push around 9Gbps (not that I believed that, but seriously, less than 250 Mbps...!, with the IPS rules disabled)


  • In reply to Remigio Lam:

    Yes, i am sorry, you were all right. I have tried both, first with selected IPS rules and then with IPS set to None.

    I opened at the same time 100 tabs in chrome, Snort process will go beyond 50-60%CPU to 80-100%CPU, icmp latency towards all my GW on all interfaces will reach 1000-3000ms. voip is unusable.