[Snort-users] snort optimization

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Sat Jan 27 02:47:44 EST 2001


Yes, the system is running snort 1.7 with the snortfull.conf file from the
downloads section of snort.org.  The database grew in just five days to close
to 1.5GB, most of which is ICMP alerts, most of those are TTL exceeded in
transit.  I'm considering disabling that rule since it is accounting for an
overwhelming majority of the alerts.

Because of the size of the db I had to disable all access to ACID until either
snort can deal with the db being locked while reading without it crashing out
the interface or get two way db replication working so that ACID can be used
to maintain the db and trim out false positives.  I've given up merging the
old db that was on the snort box with the db that is on the remote server
since that would add up to well over 2GB of information.

This is still just a work in progress to see how it handles things and if it
can do what we need.  Unfortunately snortsnarf wasn't an option for dealing
with the flat logs since I don't have a server with the performance needed to
snarf them and the db option isn't completely ready for our current needs till
I can solve the above problem.

One of the tests I'm going to hopefully be able to perform in the next week or
two is comparing system performance between the laptop that is currently doing
snort (PII 400, 256MB Ram) and a similar desktop to see if the laptops design
for low power vs the desktops design of just pure horsepower makes a
difference.

> Are you running 1.7?

> > If that's the case then it's not in the config file I have.

> > > No, that's the minfrag preprocessor.  The defrag preprocessor performs
> > > IP defragmentation and looks like this in the snort.conf file:

> > > preprocessor defrag

> > > > I don't want to assume anything, so by defrag preprocessor do you mean
> > > > preprocessor minfrag: 128?

> > > > > Try commenting out the defrag preprocessor, If I disable mine, I go from
> > > > > 99.9% cpu to about 20 or 30%.  Of course, you don't get alerted to some
> > > > > things that way.





More information about the Snort-users mailing list