[Snort-users] Re: [snort] Class C activity

Martin Roesch roesch at ...1...
Wed Jul 19 03:28:07 EDT 2000


Dan Hollis wrote:
> 
> On Wed, 19 Jul 2000, Martin Roesch wrote:
> > Yikes, that's pretty bad.  How much RAM has the box got?
> 
> 64mb. memory pressures arent a factor at all. snort doesnt use very much
> memory at all.

Ok, that shouldn't be a factor.

> <QUOTE ORIGINAL MESSAGE>
> Im curious what sort of hardware people are using as snorters. Running the
> 07122kany.rules ruleset, a Celeron 366 is barely able to keep up with
> ^^^^^^^^^^^^^^^^^^^^^^^
> ~3mbps of traffic.
> </QUOTE ORIGINAL MESSAGE>

:)  Ok, unfortunately I don't know off the top of my head how many rules that
is, I don't maintain the rules DB and I use my own custom rule sets here at
home.  I also don't know any mods or optimizations you're using, if you're
loading the rules twice to cover multiple non-contiguous network spaces, etc. 
If I'm remembering correctly and you're only loading a single set once, then
you've probably got in the neighborhood of ~1100 rules.  That's a lot,
especially if you've done any optimization.  Your performance will also vary
based on your plugin configuration and logging method.  Have you optimized for
performance by using binary logging and fast alerts?

> Of course. I think the http parser is very cpu hungry, but it's the only
> way to catch some attacks...

It's be intersting to run gprof and see how much time is blown in there....

   -Marty

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list