Tips to reduce CPU usage with snort3

I am running snort3/OpenWRT on a RPi4. The way it is configured, I tend to have one core near 100% CPU usage at any given time. I am wondering if I my configuration could be modified to give less CPU usage?

config snort 'snort'
	option config_dir '/etc/snort/'
	option interface 'eth0:eth1'
HOME_NET = [[ ]]
snort = {}
snort["-Q"] = true

ips = {
  mode = inline,
  variables = default_variables,
	action_override = 'drop',
  include = RULE_PATH .. '/snort.rules',

daq = {
  module_dirs = {
  modules = {
      name = 'afpacket',
      mode = 'inline',

output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
	file = true,
	packet = false,

normalizer = {
  tcp = {
    ips = true,

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true

Disable the software flow offloading under firewall if it is not already disabled and install ethtool and check if Generic Receive Offload and Large receive offload is disabled. I had the problem that only LRO was disabled with software flow offloading but I had to disable GRO with ethtool (ethtool -K eth0(1) gro off) and add it to rc.local. What could also help is to change the fanout_type from hash to cpu and maybe create multiple snort streams with the -z (x) parameter in the start line which costs more memory but divides the bandwidth better. But honestly I don't give you much hope because I have an Apu2 device here and that is already pretty busy with Snort a Raspi might be too weak.

1 Like

I had generic-receive-offload: on for both NICs by default. Disabling it as you suggested did not really change things.

Yeah, the gro/lro stuff is a bug fix/workaround ( and doesn't do anything to performance as far as I can tell.

The interesting line of inquiry is splitting the inputs across queues, which might have some performance impact. See some of the later posts here:

The biggest thing would be reducing the ruleset down, removing rules for devices that aren't on your network, etc

Running Openwrt on RPi CM4, why not use crowdsec?

I think CrowdSec is more of a supplement to Snort than a replacement. Snort or Suricata or whatever generate the log entries that CrowdSec uses as input. Since almost nothing writes logs on standard OpenWrt, I can't see CrowdSec by itself doing much.

Try the Nfq method but also see what I and efahl wrote because the original method from cuongdao is not complete and has performance problems. Afpacket generally doesn't work because the Openwrt firewall bypasses Snort only reject works but only because Snort sends a reset packet which closes the connection the actual packets to be dropped are let through. I tested this with 2 Snort instances the Lan side supposedly dropped but the packets left the network through my Vpn interface where a Pcap Snort instance was running.

1 Like

That is disturbing ... I started a new thread about this.