topic Re: IDS/9000 causes high CPU usage in Operating System - HP-UX

IDS/9000 causes high CPU usage

Ian Little — Wed, 04 Aug 2004 09:19:53 GMT

Hi,

We have six new rp4440-8 servers set-up with IDS/9000. It's functioning correctly but the IDS process (on each machine) is taking up about 99% of one of the CPUs. The second CPU is relatively idle. The load average on all of the machines is about 0.5 with IDS running.

We are receiving many errors of the following form:

Code: 10002
Message: KernelIDSP:idskerndsp: Dropping
audit records due to heavy load. First
notice.

Followed a little later by:

Code: 10002
Message: KernelIDSP:idskerndsp: No longer
dropping audit records.

The machines are on their own network and are not running anything else.

The second problem is that we are generating severity 1 filename mapping change alerts every so often. Any idea what causes these events?

Thanks,
Simon

Re: IDS/9000 causes high CPU usage

Kent Ostby — Wed, 04 Aug 2004 09:25:52 GMT

There are some known problems with CPU usage when using both the "buffer overflow" and "race condition" settings if used together.

I believe the only workaround is to use only one of the above settings at a time.

Best regards,

Kent M. Ostby

Re: IDS/9000 causes high CPU usage

Steven E. Protter — Wed, 04 Aug 2004 09:26:27 GMT

The best course of action is to set up filters and collect a subset of information. In Internet Security class we were able to stop IDS/9000 servers cold with a default or full data collection.

If you drill in and collect only a subset of the data, CPU use on the server and client can be drastically reduced.

SEP

Re: IDS/9000 causes high CPU usage

Alex Glennie — Wed, 04 Aug 2004 11:28:33 GMT

Hi Ian just in case this maybe more than a coincidence

do you know a simon james ... if yes have a quick chat with him as we are both investigating this issue.

If not I'd await for version 3.0 or if you have a support contract with HP log a call so we can look into this in more detail.

Re: IDS/9000 causes high CPU usage

Stephanie Miller — Wed, 25 Aug 2004 12:40:09 GMT

Hello Simon,

Indeed early versions of HIDS have known performance limitations (especially when the Race Condition and Buffer Overflow templates are deployed). The replies to your post have been correct in that it's best to set up filters to fine-tune the product's configuration and if possible to turn off these most resource intensive templates to improve performance.

That said, we have specifically addressed the performance and scalability concerns you raise in our upcoming v3.0 release of the product. If you are interested in beta testing this release, the beta will be available in a matter of weeks (contact me for more information). We are planning to make the final release later this calendar year and will be strongly recommending to our customers to upgrade to this version in order to take advantage of the redesigned template engine for dramatic performance improvements. The new release will also have utilities available to ensure any custom configurations you've made in your existing installation wll be converted without loss for v3.0

Cheers,
Stephanie