On Fri, Mar 13, 2009 at 10:43:33AM -0700, Sean Whitney wrote: > Package: snort > Version: 2.7.0-22 > Severity: important > > I have had snort installed for several years without any issues. The last > update has changed snort's behavior so now it is utilizing all available > CPU cycles and memory usage. I set the lowmem setting which has helped the > memory, but I haven't figured out how to lower the CPU load. I have > another identical server running ubuntu gutsy with the ubuntu 2.7.0-6 snort > version, without any noticable CPU or memory issues.
The only changes in the Snort engine from 2.7.0-6 to -22 where the changes in the fragment preprocessor (security issue, see CVE-2008-1804). To see if this is the issue you can comment out the following lines in the snort.conf configuration file: preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies This should disable the preprocessor. Please let me know if the behaviour is improved after commenting out these lines. In any case, I would like you to upgrade to 2.7.0-24 to see if this fixes the issue? 2.7.0-22 is not any longer in the archive. Thanks, Javier
signature.asc
Description: Digital signature
