"Austad, Jay" wrote:
> I had a PIII 733 sitting at 100% CPU on anything above 19-20Mbps.  Logging
> to a MySQL server on a separate box.  I also have a PIII550 that would sit
> at 100% on anything above 15Mb/sec.  On both of these boxes, snort was
> consuming 99% of the CPU.  Maybe I need to throw snort some different flags,
> which ones should I use to get the best performance?  (I don't have the ones
> I'm using now available at this moment).

IDS benchmarking / tuning is an inexact science at best. 

Coupla things you can try to improve performance:

1. Log in binary / tcpdump format (-b), and then run a separate snort
process in the background (or on another box, take a look at Snorticus)
to convert that output to your prefered logging format (database or
packet tree).

2. Strip all the garbage out of the ruleset -- if you don't care about
it, don't alert for it.

3. Read up on improving TCP performance for your box. A good place to
start: http://www.psc.edu/networking/perf_tune.html

4. Try a coupla different NIC's and a coupla different OS's to see what
performs best. I have some personal loyalties on this front, but I'll be
nice and not go there... I'll just say that I've had better luck with
the OS's with the mascot with the horns and the pitchfork than the ones
with the fat bird from Antartica and the multicolored flying window

5. RAM's cheap right now. Get lots.

6. Compile with -O2, maybe do the same with libpcap IANAD (I Am Not A
Developer), so I'm not sure if this helps with libpcap.

I dunno, I've personally used Snort on a 45Mbps (average around 25Mbps)
DS3 segment on a PII / 500 with a tweaked FreeBSD install with no
problems. Sure, it pegged the proc, but it didn't drop packets. I was
logging to binary, though. I'd wager that logging to DB would definitely
degrade performance, although the DB plugin folks can confirm / deny



