Tips to reduce CPU usage with snort3

darksky · May 19, 2023, 8:48pm

I am running snort3/OpenWRT on a RPi4. The way it is configured, I tend to have one core near 100% CPU usage at any given time. I am wondering if I my configuration could be modified to give less CPU usage?

/etc/snort/snort

config snort 'snort'
	option config_dir '/etc/snort/'
	option interface 'eth0:eth1'

/etc/snort/homenet.lua

HOME_NET = [[ 10.9.8.0/24 10.9.7.0/24 10.9.6.0/24 10.9.5.0/24 ]]

/etc/snort/local.lua

snort = {}
snort["-Q"] = true

ips = {
  mode = inline,
  variables = default_variables,
	action_override = 'drop',
  include = RULE_PATH .. '/snort.rules',
}

daq = {
  module_dirs = {
    '/usr/lib/daq',
  },
  modules = {
    {
      name = 'afpacket',
      mode = 'inline',
    }
  }
}

output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
	file = true,
	packet = false,
}

normalizer = {
  tcp = {
    ips = true,
  }
}

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
}

xxxx · May 20, 2023, 4:15pm

Disable the software flow offloading under firewall if it is not already disabled and install ethtool and check if Generic Receive Offload and Large receive offload is disabled. I had the problem that only LRO was disabled with software flow offloading but I had to disable GRO with ethtool (ethtool -K eth0(1) gro off) and add it to rc.local. What could also help is to change the fanout_type from hash to cpu and maybe create multiple snort streams with the -z (x) parameter in the start line which costs more memory but divides the bandwidth better. But honestly I don't give you much hope because I have an Apu2 device here and that is already pretty busy with Snort a Raspi might be too weak.

darksky · May 27, 2023, 8:08am

I had generic-receive-offload: on for both NICs by default. Disabling it as you suggested did not really change things.

efahl · May 27, 2023, 4:17pm

Yeah, the gro/lro stuff is a bug fix/workaround (https://blog.snort.org/2016/08/running-snort-on-commodity-hardware.html) and doesn't do anything to performance as far as I can tell.

The interesting line of inquiry is splitting the inputs across queues, which might have some performance impact. See some of the later posts here:

account4538 · May 27, 2023, 7:52pm

The biggest thing would be reducing the ruleset down, removing rules for devices that aren't on your network, etc

johnny71 · May 27, 2023, 8:33pm

Running Openwrt on RPi CM4, why not use crowdsec?

efahl · May 27, 2023, 9:53pm

I think CrowdSec is more of a supplement to Snort than a replacement. Snort or Suricata or whatever generate the log entries that CrowdSec uses as input. Since almost nothing writes logs on standard OpenWrt, I can't see CrowdSec by itself doing much.

xxxx · May 28, 2023, 1:22am

Try the Nfq method but also see what I and efahl wrote because the original method from cuongdao is not complete and has performance problems. Afpacket generally doesn't work because the Openwrt firewall bypasses Snort only reject works but only because Snort sends a reset packet which closes the connection the actual packets to be dropped are let through. I tested this with 2 Snort instances the Lan side supposedly dropped but the packets left the network through my Vpn interface where a Pcap Snort instance was running.

darksky · May 28, 2023, 7:45am

That is disturbing ... I started a new thread about this.