[Snort-users] snort optimization

Phil Wood cpw at ...440...
Thu Jan 18 12:45:42 EST 2001


I found that using an NFS mounted file system to write the logs to was a
BAD IDEA! (It was my idea, and as you might know, my Dad said: "Treat it
[the idea] kindly, it's in a strange place.")

As part of a hardware wish list, one should probably include a
fast scsi disk.  The more you wait for a disc operation to complete, the
more packets you could lose.  Also, if you use some of the output
functions which log to remote sites off your management interface,
you could see more packet loss.  I have.

  Thanks, Phil

On Thu, Jan 18, 2001 at 02:25:28AM -0500, Martin Roesch wrote:
> Snort's not multi-threaded at this point, although we are discussing
> it.  If you're getting 2-4Meg(!) of alerts per minute, you need to tune
> your rules majorly, there's no way that that much hostile traffic should
> be occurring on your network unless you're running Anti-online. :)
> 
> Additionally, performance will vary widely with the preprocessors you
> have loaded and their configuration.  It's all in your tuning of the
> rules file, but unless you're really interested in seeing every ping on
> your net there's a good amount of tuning you should be doing by default.
> 
>     -Marty
> 
> Kevin.Brown at ...1022... wrote:
> > 
> > I have a PII 400 256MB Ram with the snortfull.conf listening on a single 100Mb
> > link mirrored off the switch.  The network doesn't even get to 30Mb/s of use
> > and the box is so overloaded processor wise that it is very sluggish to
> > respond even to commands like top.  Since this is just a feasability test here
> > the data isn't analyzed much, but my bosses were surprised at just how much
> > data the box is collecting (clocking around 2-4MB/min of alerts).  Now that I
> > got it logging to a local SQL database (mysql) the next step is to get it
> > logging to a remote db, which isn't working so far, and then start determining
> > what we really need to monitor and see about getting boxen that can take the
> > load.  I'm just curious if snort is multithreaded so that it can take
> > advantage of a multi cpu setup.
> > 
> > > You should probably be able to do a pretty good job with any low end
> > > system today (subject to the number of rules you're going to run, of
> > > course).  Something like a Celeron 466+ with 64MB of RAM on a dedicated
> > > system should be just fine for that level of traffic.
> > 
> > > > Please forgive the newbie question, but what sort of processing power is
> > > > required to efficiently handle a "busy network segment"? For instance, I
> > > > am planning a Snort installation to watch a network that typically hangs
> > > > around 25 Mb/s, and I'm not sure how large of a system will be
> > > > necessary. I know, this is listed in the FAQ, but the answer seems
> > > > more oriented towards troubleshooting than capacity planning.
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list