SNORT using a lot of CPU

Question

Our old Sophos UTM is definitely a bit on the "too small" side by now, but still, we're trying to get things running for at least an extra year or so. Right now we occasionally have issues with the UTM CPU usage going up to 100%, to the point where the UTM stops processing DNS requests and people cannot open websites.

Looking at the top / atop I can see that SNORT is using a large chunk of the processing power.

The IPS logs have a lot of the following, but otherwise the logs are unimpressive:

2023:08:24-11:03:47 firewall snort[7368]: S5: Session exceeded configured max bytes to queue 1048576 using 1049800 bytes (client queue). <internal IP> 52453 --> <external IP> (0) : LWstate 0x9 LWFlags 0x406017

The problems are intermittent; typically SNORT seems to be rather quiet. Any idea what could be wrong and / or what I can do to alleviate the problem?

This thread was automatically locked due to age.

Raphael Alganes · Answer

Hello Mateusz Bender , 
 Good day and thanks for reaching out to Sophos Community. 
 You may follow this KBA to help improve CPU performance when using IPS on UTM: https://support.sophos.com/support/s/article/KB-000034850?language=en_US 
 Cheers,

Raphael Alganes · Answer

Hi Mateusz Bender , 
 Could you try to disable attacks on server signatures. This assumes you don't have Mail Server on your network or any other servers hosted behind your network, please adjust according to your setup. You may refer to the image as an example. This also could help fine tune your IPS performance. 
 
 Further, you may also try to tweak rule age to <6mos. This depends on individual factors like overall patch level, legacy systems, or other security requirements. Selecting a shorter time span will reduce the number of rules and thus improve performance.