[Snort-users] snort optimization

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Thu Jan 18 18:26:57 EST 2001

This is using the default snortfull.conf file.  I'm sure there are a lot of
alerts that are false positives, but since this is just for testing I haven't
done much tuning.  The only rules I disabled were the napster and gnutella
rules since we know that traffic is there, but don't really care as we have
other hardware that will deal with that problem.

> Snort's not multi-threaded at this point, although we are discussing
> it.  If you're getting 2-4Meg(!) of alerts per minute, you need to tune
> your rules majorly, there's no way that that much hostile traffic should
> be occurring on your network unless you're running Anti-online. :)
> Additionally, performance will vary widely with the preprocessors you
> have loaded and their configuration.  It's all in your tuning of the
> rules file, but unless you're really interested in seeing every ping on
> your net there's a good amount of tuning you should be doing by default.

> > I have a PII 400 256MB Ram with the snortfull.conf listening on a single 100Mb
> > link mirrored off the switch.  The network doesn't even get to 30Mb/s of use
> > and the box is so overloaded processor wise that it is very sluggish to
> > respond even to commands like top.  Since this is just a feasability test here
> > the data isn't analyzed much, but my bosses were surprised at just how much
> > data the box is collecting (clocking around 2-4MB/min of alerts).  Now that I
> > got it logging to a local SQL database (mysql) the next step is to get it
> > logging to a remote db, which isn't working so far, and then start determining
> > what we really need to monitor and see about getting boxen that can take the
> > load.  I'm just curious if snort is multithreaded so that it can take
> > advantage of a multi cpu setup.
> > 
> > > You should probably be able to do a pretty good job with any low end
> > > system today (subject to the number of rules you're going to run, of
> > > course).  Something like a Celeron 466+ with 64MB of RAM on a dedicated
> > > system should be just fine for that level of traffic.
> > 
> > > > Please forgive the newbie question, but what sort of processing power is
> > > > required to efficiently handle a "busy network segment"? For instance, I
> > > > am planning a Snort installation to watch a network that typically hangs
> > > > around 25 Mb/s, and I'm not sure how large of a system will be
> > > > necessary. I know, this is listed in the FAQ, but the answer seems
> > > > more oriented towards troubleshooting than capacity planning.
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org

More information about the Snort-users mailing list