[Snort-users] snort optimization
roesch at ...421...
Thu Jan 18 02:25:28 EST 2001
Snort's not multi-threaded at this point, although we are discussing
it. If you're getting 2-4Meg(!) of alerts per minute, you need to tune
your rules majorly, there's no way that that much hostile traffic should
be occurring on your network unless you're running Anti-online. :)
Additionally, performance will vary widely with the preprocessors you
have loaded and their configuration. It's all in your tuning of the
rules file, but unless you're really interested in seeing every ping on
your net there's a good amount of tuning you should be doing by default.
Kevin.Brown at ...1022... wrote:
> I have a PII 400 256MB Ram with the snortfull.conf listening on a single 100Mb
> link mirrored off the switch. The network doesn't even get to 30Mb/s of use
> and the box is so overloaded processor wise that it is very sluggish to
> respond even to commands like top. Since this is just a feasability test here
> the data isn't analyzed much, but my bosses were surprised at just how much
> data the box is collecting (clocking around 2-4MB/min of alerts). Now that I
> got it logging to a local SQL database (mysql) the next step is to get it
> logging to a remote db, which isn't working so far, and then start determining
> what we really need to monitor and see about getting boxen that can take the
> load. I'm just curious if snort is multithreaded so that it can take
> advantage of a multi cpu setup.
> > You should probably be able to do a pretty good job with any low end
> > system today (subject to the number of rules you're going to run, of
> > course). Something like a Celeron 466+ with 64MB of RAM on a dedicated
> > system should be just fine for that level of traffic.
> > > Please forgive the newbie question, but what sort of processing power is
> > > required to efficiently handle a "busy network segment"? For instance, I
> > > am planning a Snort installation to watch a network that typically hangs
> > > around 25 Mb/s, and I'm not sure how large of a system will be
> > > necessary. I know, this is listed in the FAQ, but the answer seems
> > > more oriented towards troubleshooting than capacity planning.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
roesch at ...421...
More information about the Snort-users