[Snort-users] performance snort question
roeland at ...1415...
Mon Jun 18 05:30:58 EDT 2001
I was wondering if someone could give me some advice:
Snort is running on a 700 Mhz processor with 128 mb
The IDS has to handle, on average, with 600000 MB a month.
On peak hours the data traffic incoming is 4 Mbps (work hours)
I am using 500 rules (splitted in alerts and log) and a lot off pass
Snort is using 98.8 % of the processor and 3.6% of the memory (4 MB)
When restarting snort after almost 1 hour:
snort: Snort received 1830489 packets
snort: and dropped 0(0.000%) packets
snort: Breakdown by protocol: Action Stats:
snort: TCP: 1740759 (95.098%) ALERTS: 2
snort: UDP: 77353 (4.226%) LOGGED: 8
snort: ICMP: 12307 (0.672%) PASSED: 2577
snort: ARP: 63 (0.003%)
snort: IPv6: 0 (0.000%)
snort: IPX: 0 (0.000%)
snort: OTHER: 0 (0.000%)
snort: DISCARD: 0 (0.000%)
After some days the memory is pretty good used, by then snort is using
more then 40% of the memory. Maybe that's because I'am running 1.8 beta
version (build 24).
I have some questions, because I can't figure out what the performance
of Snort is:
- I have never seen that snort dropped some packets,
does that mean that snort is running good?
(and dropped 0(0.000%) packets)
- Because of the memory usage is increasing,
does this mean that snort has a memory leak?
- Do I need more memory and/or a bigger processor?
More information about the Snort-users