[Snort-users] thoughts on load balancing snort boxen for high traffic links

Siddhartha Jain s_i_d_j at ...131...
Tue Mar 20 05:57:07 EST 2001

I have 10% CPU utilization at approx. 10 Mbps on a Dual UltraSparc 450 Mhz
with 1 GB RAM. This is how my Snort is setup. I have a port each on two
switches configured as span ports for all the ports on the two switches.
Both these span ports are connected to a hub (a 10-BaseT) to which the wire
coming from the IDS box is also connected.

And i have a problem, my snort dies after approx. two days giving a core
dump. So either the hub drops packets and snort dies trying to reassemble
the TCP stream (i get lot of "snort: [!] WARNING: TCP stream reassembler,
Server Bytes in Buffer > Buffer Size (33952 > 26520)" ) messages OR there is
a problem with Snort itself. Either, i could use some help with trying to
keep Snort 24x7. Could someone tell me how to inspect the core dump?

Siddhartha Jain

> I had a PIII 733 sitting at 100% CPU on anything above 19-20Mbps.  Logging
> to a MySQL server on a separate box.  I also have a PIII550 that would sit
> at 100% on anything above 15Mb/sec.  On both of these boxes, snort was
> consuming 99% of the CPU.  Maybe I need to throw snort some different
> which ones should I use to get the best performance?  (I don't have the
> I'm using now available at this moment).
> Jay

> > -----Original Message-----
> > From: shawn . moyer [mailto:shawn at ...1184...]
> > Also Jay, I'm not sure about your statement about 20Mbps
> > being too much
> > for Snort to handle. The general consensus seems to be that a
> > beefy box
> > running Snort with a fast bus and a lot of RAM logging to
> > binary format
> > can handle upwards of 90Mbps without a whimper.

