HPE Community
Operating System - HP-UX
1826614 Members
2745 Online
109695 Solutions
New Discussion

Re: IDS/9000 causes high CPU usage

 
Ian Little
Occasional Advisor

‎08-04-2004 02:19 AM

‎08-04-2004 02:19 AM

IDS/9000 causes high CPU usage

Hi,

We have six new rp4440-8 servers set-up with IDS/9000. It's functioning correctly but the IDS process (on each machine) is taking up about 99% of one of the CPUs. The second CPU is relatively idle. The load average on all of the machines is about 0.5 with IDS running.

We are receiving many errors of the following form:

Code: 10002
Message: KernelIDSP:idskerndsp: Dropping
audit records due to heavy load. First
notice.

Followed a little later by:

Code: 10002
Message: KernelIDSP:idskerndsp: No longer
dropping audit records.

The machines are on their own network and are not running anything else.

The second problem is that we are generating severity 1 filename mapping change alerts every so often. Any idea what causes these events?

Thanks,
Simon
0 Kudos
Reply
4 REPLIES 4
Kent Ostby
Honored Contributor

‎08-04-2004 02:25 AM

‎08-04-2004 02:25 AM

Re: IDS/9000 causes high CPU usage

There are some known problems with CPU usage when using both the "buffer overflow" and "race condition" settings if used together.

I believe the only workaround is to use only one of the above settings at a time.

Best regards,

Kent M. Ostby
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-04-2004 02:26 AM

‎08-04-2004 02:26 AM

Re: IDS/9000 causes high CPU usage

The best course of action is to set up filters and collect a subset of information. In Internet Security class we were able to stop IDS/9000 servers cold with a default or full data collection.

If you drill in and collect only a subset of the data, CPU use on the server and client can be drastically reduced.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Alex Glennie
Honored Contributor

‎08-04-2004 04:28 AM

‎08-04-2004 04:28 AM

Re: IDS/9000 causes high CPU usage

Hi Ian just in case this maybe more than a coincidence

do you know a simon james ... if yes have a quick chat with him as we are both investigating this issue.

If not I'd await for version 3.0 or if you have a support contract with HP log a call so we can look into this in more detail.
0 Kudos
Reply
Stephanie Miller
Occasional Advisor

‎08-25-2004 05:40 AM

‎08-25-2004 05:40 AM

Re: IDS/9000 causes high CPU usage

Hello Simon,

Indeed early versions of HIDS have known performance limitations (especially when the Race Condition and Buffer Overflow templates are deployed). The replies to your post have been correct in that it's best to set up filters to fine-tune the product's configuration and if possible to turn off these most resource intensive templates to improve performance.

That said, we have specifically addressed the performance and scalability concerns you raise in our upcoming v3.0 release of the product. If you are interested in beta testing this release, the beta will be available in a matter of weeks (contact me for more information). We are planning to make the final release later this calendar year and will be strongly recommending to our customers to upgrade to this version in order to take advantage of the redesigned template engine for dramatic performance improvements. The new release will also have utilities available to ensure any custom configurations you've made in your existing installation wll be converted without loss for v3.0

Cheers,
Stephanie
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.