Snort CPU util on 17.5.6 MR6

Hi All,

Since upgrading to 17.5.6 MR6, we started to have users complaining about slow website access times. We currently have two XG 330 rev 2 in a HA active/passive config.

I created a HTTP/HTTPS bypass rule for the transparent proxy, showed a massive improvement in website access times. This was a single rule selecting my machine as IP, adding subsequent machines to this rule during peak load times, also showed an improvement in website access times.

I then went back to our two internet access rules for outbound for our org, and removed HTTP scanning, immediately the CPU dropped from 70% to around 20% util. Now we have NO http scanning rules setup on any of our rules, yet I am still seeing snort cpu util is pegged.

What gives?

  • Just an update, a forgot to do ***-I in top, because it's a multi-core CPU. It's still high but, and I'm wondering why it's still right on the top with no HTTP scanning enabled? Also would I benefit from having both XG's in active/active?

    Cheers.

  • In reply to James Lemon:

    Hi JL

     

    I wonder, what your IPS settings are ? Please post the output from the devcice console for "show ips-settings" - like I did below (Rev1. XG125 Appliance)

    console> show ips-settings
    -------------IPS Settings-------------
            stream on
            lowmem off
            maxsesbytes 0
            maxpkts 8
            mmap off
            enable_appsignatures on
            mmapfilepath var
            http_response_scan_limit  65535
            search_method hyperscan
            sip_preproc enabled
            sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
     1  0
     2  1

     

    And also which hardware you use. Obviously some Quadcore CPU with 12Gigs of Mem - Do you have a exact CPU type ?

     

    /Sascha

  • In reply to SaschaParis:

    I believe CPU type is:

    Intel Core i5 Quad Core 6500

    That command does not exist under advanced shell, which is all i have access to currently.

  • In reply to James Lemon:

    What happens when you fail over to the other XG?

    Ian

  • In reply to James Lemon:

    Hello ,

     

    This command is available in console. You can select option 4 when you connect XG using SSH or Telnet. Else you can also execute "cish" in Advance Shell to go to console.

     

    Regards, Ronak.

  • In reply to Ronak Sheth:

    Many thanks Ronak, didn't know about cish.

    Here is the output:

    XG330_WP01_SFOS 17.5.6 MR-6# cish
    console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 8
    enable_appsignatures on
    http_response_scan_limit 65535
    search_method hyperscan
    sip_preproc enabled
    sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
    1 0
    2 1
    3 2
    4 3

    console>

  • In reply to James Lemon:

    Agreed...Command does not exist under advanced shell.There are alternative ways to do it though.