[Snort-users] snort optimization

Kyle R Maxwell kmaxwell at ...1146...
Mon Jan 15 15:05:56 EST 2001


Please forgive the newbie question, but what sort of processing power is
required to efficiently handle a "busy network segment"? For instance, I
am planning a Snort installation to watch a network that typically hangs
around 25 Mb/s, and I'm not sure how large of a system will be
necessary. I know, this is listed in the FAQ, but the answer seems
more oriented towards troubleshooting than capacity planning.

On Mon, 15 Jan 2001, Avleen Vig wrote:

> The answer to both your questions is "no".
> I'll be VERY suprised is snort drops any packets on that setup, and you
> don't need anything more for a "more complete capture".
>
> ----- Original Message -----
> From: "Deja User" <malzubs at ...479...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Monday, January 15, 2001 7:00 PM
> Subject: [Snort-users] snort optimization
>
>
> > What is the fastest, most complete was to run snort.  I have a busy
> network segment that I’m spanning and sending to the snort IDS.
> > I downloaded the complete rule file from snort.org "snortfull.conf"
> > So here is what I have
> > snort -A full -b -c snortfull.com -i eth0 -l /LOG/snort
> >
> > Is there anything I can do to make it faster and not drop any traffic?
> > Also, the snortfull.conf does not include any library references, is there
> anything I can do to make my capture more complete?
> >

-- 
Kyle R Maxwell
kmaxwell at ...1146...
Superpages.com Sys Admin





More information about the Snort-users mailing list