[Snort-users] snort optimization

Jason Haar Jason.Haar at ...294...
Thu Jan 18 15:55:53 EST 2001

On Thu, Jan 18, 2001 at 12:09:52AM -0700, Kevin.Brown at ...1022... wrote:
> I have a PII 400 256MB Ram with the snortfull.conf listening on a single 100Mb
> link mirrored off the switch.  The network doesn't even get to 30Mb/s of use
> and the box is so overloaded processor wise that it is very sluggish to
> respond even to commands like top.  Since this is just a feasability test here
> the data isn't analyzed much, but my bosses were surprised at just how much
> data the box is collecting (clocking around 2-4MB/min of alerts).  Now that I
> got it logging to a local SQL database (mysql) the next step is to get it
> logging to a remote db, which isn't working so far, and then start determining

Check out top - does it say that MySQL is using most of the CPU? Is your
disk subsystem IDE or SCSI?

2-4MB/min is too large for number of alerts. With you logging them to a SQL
db - you're really gonna hit your system HARD.

I'd rethink what you're trying to achieve. If those alerts are valid, then
your only option (IMHO) is to log to tcpdump binary files on a partition set
with options like "noatime" and "nosync", then copy them off nightly/hourly onto
another box and inject into your SQL db...


