This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNORT using a lot of CPU

Our old Sophos UTM is definitely a bit on the "too small" side by now, but still, we're trying to get things running for at least an extra year or so. Right now we occasionally have issues with the UTM CPU usage going up to 100%, to the point where the UTM stops processing DNS requests and people cannot open websites.

Looking at the top / atop I can see that SNORT is using a large chunk of the processing power.

The IPS logs have a lot of the following, but otherwise the logs are unimpressive:

2023:08:24-11:03:47 firewall snort[7368]: S5: Session exceeded configured max bytes to queue 1048576 using 1049800 bytes (client queue). <internal IP> 52453 --> <external IP> (0) : LWstate 0x9 LWFlags 0x406017

The problems are intermittent; typically SNORT seems to be rather quiet. Any idea what could be wrong and / or what I can do to alleviate the problem?

This thread was automatically locked due to age.
Parents Reply
  • Hi  ,

    Could you try to disable attacks on server signatures. This assumes you don't have Mail Server on your network or any other servers hosted behind your network, please adjust according to your setup. You may refer to the image as an example. This also could help fine tune your IPS performance.

    Further, you may also try to tweak rule age to <6mos. This depends on individual factors like overall patch level, legacy systems, or other security requirements. Selecting a shorter time span will reduce the number of rules and thus improve performance.

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

No Data