Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNORT using a lot of CPU

Our old Sophos UTM is definitely a bit on the "too small" side by now, but still, we're trying to get things running for at least an extra year or so. Right now we occasionally have issues with the UTM CPU usage going up to 100%, to the point where the UTM stops processing DNS requests and people cannot open websites.

Looking at the top / atop I can see that SNORT is using a large chunk of the processing power.

The IPS logs have a lot of the following, but otherwise the logs are unimpressive:

2023:08:24-11:03:47 firewall snort[7368]: S5: Session exceeded configured max bytes to queue 1048576 using 1049800 bytes (client queue). <internal IP> 52453 --> <external IP> (0) : LWstate 0x9 LWFlags 0x406017

The problems are intermittent; typically SNORT seems to be rather quiet. Any idea what could be wrong and / or what I can do to alleviate the problem?

This thread was automatically locked due to age.