Our old Sophos UTM is definitely a bit on the "too small" side by now, but still, we're trying to get things running for at least an extra year or so. Right now we occasionally have issues with the UTM CPU usage going up to 100%, to the point where the UTM stops processing DNS requests and people cannot open websites.
Looking at the
atop I can see that SNORT is using a large chunk of the processing power.
The IPS logs have a lot of the following, but otherwise the logs are unimpressive:
2023:08:24-11:03:47 firewall snort: S5: Session exceeded configured max bytes to queue 1048576 using 1049800 bytes (client queue). <internal IP> 52453 --> <external IP> (0) : LWstate 0x9 LWFlags 0x406017
The problems are intermittent; typically SNORT seems to be rather quiet. Any idea what could be wrong and / or what I can do to alleviate the problem?
Added a few extra details
[edited by: Mateusz Bender at 9:16 AM (GMT -7) on 24 Aug 2023]