[Snort-users] snort optimization

Austad, Jay austad at ...432...
Thu Jan 18 19:00:04 EST 2001


> top reports that Snort is using 98% of the cpu, mysqld is 
> using .1%.  I didn't
> do much in the way of optimizing the snortfull.conf, but that 
> is in the
> works.  When I have more sensors I'll split the rules up 
> between them and see
> if that reduces the load on the processor.

Try commenting out the defrag preprocessor, If I disable mine, I go from
99.9% cpu to about 20 or 30%.  Of course, you don't get alerted to some
things that way.

Jay

> -----Original Message-----
> From: Kevin.Brown at ...1022... [mailto:Kevin.Brown at ...1022...]
> Sent: Thursday, January 18, 2001 5:44 PM
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort optimization
> 
> 
> top reports that Snort is using 98% of the cpu, mysqld is 
> using .1%.  I didn't
> do much in the way of optimizing the snortfull.conf, but that 
> is in the
> works.  When I have more sensors I'll split the rules up 
> between them and see
> if that reduces the load on the processor.
> 
> > > I have a PII 400 256MB Ram with the snortfull.conf 
> listening on a single 100Mb
> > > link mirrored off the switch.  The network doesn't even 
> get to 30Mb/s of use
> > > and the box is so overloaded processor wise that it is 
> very sluggish to
> > > respond even to commands like top.  Since this is just a 
> feasability test here
> > > the data isn't analyzed much, but my bosses were 
> surprised at just how much
> > > data the box is collecting (clocking around 2-4MB/min of 
> alerts).  Now that I
> > > got it logging to a local SQL database (mysql) the next 
> step is to get it
> > > logging to a remote db, which isn't working so far, and 
> then start determining
> > 
> > Check out top - does it say that MySQL is using most of the 
> CPU? Is your
> > disk subsystem IDE or SCSI?
> > 
> > 2-4MB/min is too large for number of alerts. With you 
> logging them to a SQL
> > db - you're really gonna hit your system HARD.
> > 
> > I'd rethink what you're trying to achieve. If those alerts 
> are valid, then
> > your only option (IMHO) is to log to tcpdump binary files 
> on a partition set
> > with options like "noatime" and "nosync", then copy them 
> off nightly/hourly onto
> > another box and inject into your SQL db...
> > 
> > 
> > -- 
> > Cheers
> > 
> > Jason Haar
> > 
> > Unix/Special Projects, Trimble NZ
> > Phone: +64 3 9635 377 Fax: +64 3 9635 417
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 




More information about the Snort-users mailing list