[Snort-users] thoughts on load balancing snort boxen for hightraffic links

Doug White dwhite at ...1486...
Tue Mar 20 22:32:23 EST 2001


On Mon, 19 Mar 2001, shawn . moyer wrote:

> 1. Log in binary / tcpdump format (-b), and then run a separate snort
> process in the background (or on another box, take a look at Snorticus)
> to convert that output to your prefered logging format (database or
> packet tree).

I think this helps a lot more than you might think.  I have a dual
PIII/600 running FreeBSD 4.2-RELEASE with -Afull -DeqX and I'm seeing
0.05% loss.  -b seemed to be drop-proof.

I'll have to set it up to log with -b initially and reprocess with -r for
snortsnarf.  Some patches will be necessary to get a decent log filename
though :-)

> I dunno, I've personally used Snort on a 45Mbps (average around 25Mbps)
> DS3 segment on a PII / 500 with a tweaked FreeBSD install with no
> problems. Sure, it pegged the proc, but it didn't drop packets. I was
> logging to binary, though. I'd wager that logging to DB would definitely
> degrade performance, although the DB plugin folks can confirm / deny
> this.

I'm curious what your tweaks were.  BPF doesn't consume that many mbufs
(what I'm used to tuning) but I suspect there's some buffers I could
increase.  The interrupt load with Intel ethernet cards is miniscule (try
a 3com and get ready to catch your jaw as it drops).  And the syscalls are
pretty low (20/sec or so).

Doug White                    |  FreeBSD: The Power to Serve
dwhite at ...1486...     |  www.FreeBSD.org





More information about the Snort-users mailing list