Closed graysky2 closed 1 year ago
@InverseRE
I think, there could be number of reasons in play. But starting with profiling is a good idea.
You might want to take a look at the 'profiler' module, which is a built-in tool to check Snort rules and modules. Adding 'profiler = {}' to your configuration will print rule and module usage statistics at the exit.
Thanks for the reply. I added it, ran for 30 sec or so and here is the output. Not sure what to make of it or what else to add to the config.
OK. Looking at the logs, I would not expect a simple solution here.
Aside from providing custom modules (like, Hyperscan for ARM and/or custom DAQ optimized for performance), one should look in the direction of tuning the configuration.
For example, not all traffic should be inspected, but only part of it. That could be achieved by using policies (network, inspection, ips), that will dedicate CPU for processing really important traffic. Another possibility here is to tune the IPS rules. Taking top-10 or maybe even more of them, and carefuly analyzing their targeted signatures to see if they can be excluded from the set at all. (by using ips.states configuration).
About hyperscan, it seem there is vectorscan for arm64... does that work with snort3?
About policies, is this configured within snort? Link?
Since this is a question about custom configurations, you might want to ask snort-users@lists.snort.org for users experience on the subject.
I am running snort3/OpenWRT on a RPi4. The way it is configured, I tend to have one core near 100% CPU usage at any given time. I am wondering if I my configuration could be modified to give less CPU usage?