[Snort-users] performance snort question

Roeland Weve roeland at ...1415...
Mon Jun 18 05:30:58 EDT 2001


I was wondering if someone could give me some advice:

Snort is running on a 700 Mhz processor with 128 mb
The IDS has to handle, on average, with 600000 MB a month.
On peak hours the data traffic incoming is 4 Mbps (work hours)
I am using 500 rules (splitted in alerts and log) and a lot off pass
rules

Snort is using 98.8 % of the processor and 3.6% of the memory (4 MB)
When restarting snort after almost 1 hour:

snort: Snort received 1830489 packets
snort:  and dropped 0(0.000%) packets  
snort: Breakdown by protocol:                Action Stats: 
snort:     TCP: 1740759    (95.098%)         ALERTS: 2          
snort:     UDP: 77353      (4.226%)          LOGGED: 8          
snort:    ICMP: 12307      (0.672%)          PASSED: 2577       
snort:     ARP: 63         (0.003%) 
snort:    IPv6: 0          (0.000%) 
snort:     IPX: 0          (0.000%) 
snort:   OTHER: 0          (0.000%) 
snort: DISCARD: 0          (0.000%) 

After some days the memory is pretty good used, by then snort is using
more then 40% of the memory. Maybe that's because I'am running 1.8 beta
version (build 24). 

I have some questions, because I can't figure out what the performance
of Snort is:
- I have never seen that snort dropped some packets, 
does that mean that snort is running good? 
(and dropped 0(0.000%) packets)
- Because of the memory usage is increasing, 
does this mean that snort has a memory leak?
- Do I need more memory and/or a bigger processor?

Thanks,
	Roeland




More information about the Snort-users mailing list