search

snort3 / snort3

Snort++
Other
2.54k stars 552 forks source link

tips to reduce CPU use #304

Closed graysky2 closed 1 year ago

graysky2 commented 1 year ago

I am running snort3/OpenWRT on a RPi4. The way it is configured, I tend to have one core near 100% CPU usage at any given time. I am wondering if I my configuration could be modified to give less CPU usage?

# cat /etc/snort/snort
config snort 'snort'
    option config_dir '/etc/snort/'
    option interface 'eth0:eth1'
# cat /etc/snort/homenet.lua
HOME_NET = [[ 10.9.8.0/24 10.9.7.0/24 10.9.6.0/24 10.9.5.0/24 ]]
# cat /etc/snort/local.lua
snort = {}
snort["-Q"] = true

ips = {
  mode = inline,
  variables = default_variables,
    action_override = 'drop',
  include = RULE_PATH .. '/snort.rules',
}

daq = {
  module_dirs = {
    '/usr/lib/daq',
  },
  modules = {
    {
      name = 'afpacket',
      mode = 'inline',
    }
  }
}

output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
    file = true,
    packet = false,
}

normalizer = {
  tcp = {
    ips = true,
  }
}

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
}
graysky2 commented 1 year ago

@InverseRE

InverseRE commented 1 year ago

I think, there could be number of reasons in play. But starting with profiling is a good idea.

You might want to take a look at the 'profiler' module, which is a built-in tool to check Snort rules and modules. Adding 'profiler = {}' to your configuration will print rule and module usage statistics at the exit.

graysky2 commented 1 year ago

Thanks for the reply. I added it, ran for 30 sec or so and here is the output. Not sure what to make of it or what else to add to the config.

InverseRE commented 1 year ago

OK. Looking at the logs, I would not expect a simple solution here.

Aside from providing custom modules (like, Hyperscan for ARM and/or custom DAQ optimized for performance), one should look in the direction of tuning the configuration.

For example, not all traffic should be inspected, but only part of it. That could be achieved by using policies (network, inspection, ips), that will dedicate CPU for processing really important traffic. Another possibility here is to tune the IPS rules. Taking top-10 or maybe even more of them, and carefuly analyzing their targeted signatures to see if they can be excluded from the set at all. (by using ips.states configuration).

graysky2 commented 1 year ago

About hyperscan, it seem there is vectorscan for arm64... does that work with snort3?

About policies, is this configured within snort? Link?

InverseRE commented 1 year ago

Since this is a question about custom configurations, you might want to ask snort-users@lists.snort.org for users experience on the subject.