[Snort-users] snort optimization

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Thu Jan 18 18:44:11 EST 2001


top reports that Snort is using 98% of the cpu, mysqld is using .1%.  I didn't
do much in the way of optimizing the snortfull.conf, but that is in the
works.  When I have more sensors I'll split the rules up between them and see
if that reduces the load on the processor.

> > I have a PII 400 256MB Ram with the snortfull.conf listening on a single 100Mb
> > link mirrored off the switch.  The network doesn't even get to 30Mb/s of use
> > and the box is so overloaded processor wise that it is very sluggish to
> > respond even to commands like top.  Since this is just a feasability test here
> > the data isn't analyzed much, but my bosses were surprised at just how much
> > data the box is collecting (clocking around 2-4MB/min of alerts).  Now that I
> > got it logging to a local SQL database (mysql) the next step is to get it
> > logging to a remote db, which isn't working so far, and then start determining
> 
> Check out top - does it say that MySQL is using most of the CPU? Is your
> disk subsystem IDE or SCSI?
> 
> 2-4MB/min is too large for number of alerts. With you logging them to a SQL
> db - you're really gonna hit your system HARD.
> 
> I'd rethink what you're trying to achieve. If those alerts are valid, then
> your only option (IMHO) is to log to tcpdump binary files on a partition set
> with options like "noatime" and "nosync", then copy them off nightly/hourly onto
> another box and inject into your SQL db...
> 
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list