[Snort-users] RE: FW: Two questions...

Martin Roesch roesch at ...1935...
Thu Oct 25 18:54:02 EDT 2001


Stop using the mysql output plugin, there is a definite correlation
between using the MySQL output plugin and 99% CPU utilization on Linux
boxen, and if you search the archives you'll see this issue come up over
and over again.  A good work around would be to write your Snort logs to
a tcpdump binary log file (-b or output log_tcpdump) and postprocess
them into the DB or use the new unified output system and the latest
barnyard beta.

For the record, I develop on FreeBSD 4.2 (I've been too lazy to upgrade)
and regularly test Snort on FreeBSD, OpenBSD, Solaris/Sparc,
Tru64/Alpha, Win2k and RH Linux.  Of all the systems I test on, RH and
Win2k give me the most headaches (Win2k because it's "different", RH
because of the stupid package management system and their constant
tweaking of low level system constructs which inevitably breaks things
(see RH-specific changes to libpcap, struct timeval, etc).

There's nothing specifically *wrong* with RedHat (I've really been
enjoying KDE 2.2.1 on RH with a custom 2.4.10 kernel on one of my
laptops) but the constant, seemingly intentional breaking of low level
interoperability in the system drove me away from it originally. 
Conversely, I haven't had to repair a single thing due to changes that
have been made to the Free/OpenBSD internals in over two years.

YMMV, take it with a grain of salt, etc.  I'm not trying to start (or
maintain) a holy war, just stating my experiences as a developer
building/maintaining a piece of software that runs on over 25 platforms.

     -Marty


"Grimes, Shawn (NIA/IRP)" wrote:
> 
> Just an FYI, I hooked up another box today with exactly the same specs as
> the original snort box but I used FreeBSD.  Initially I was happy because it
> was running at about 15% CPU utilization, then by 5pm, it was up to 80-90%
> again.  Now I don't know anything about FreeBSD, I was happy enough I got it
> installed so I really didn't do any tweaking.  But I just wanted to report
> my experience.  Any ideas for a next step to lower these rates?  Possibly a
> cvs version of snort?  I'm not particularly attached to any OS, I can adapt.
> 
> -----Original Message-----
> From: Bob Walder [mailto:bwalder at ...3902...]
> Sent: Thursday, October 25, 2001 9:57 AM
> To: wayne at ...3179...; Grimes, Shawn (NIA/IRP);
> snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] FW: Two questions...
> 
> Like I said - I am not Linux bashing - it is an excellent OS and I do not
> intend to be drawn into any further religious arguments.
> 
> What I am saying - and probably a bit harshly initially, I admit, but I was
> trying to rattle off a reply whilst extremely busy - is that OS choice
> should be strictly "horses for courses" not "my OS is better than your OS".
> 
> In our TESTING, we have proved FreeBSD 4.3 to be a more stable and better
> performing platform for Snort 1.8.1 than Red Hat Linux 7.1.
> 
> That's all.
> 
> Beyond that, YMMV
> 
> Regards,
> 
> Bob
> 
> -----Original Message-----
> From: Wayne Work [mailto:wwork at ...3179...]
> Sent: 25 October 2001 14:08
> To: Bob Walder; 'Grimes Shawn (NIA/IRP)';
> snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] FW: Two questions...
> 
> I am not sure I would BASH Linux so quick. BSD as well as it's moments but
> ask IBM (ya, the Big BLUE) about why they are advertising and placing LINUX
> on servers, appliances and AS/400 machine. Geee!!! Go figure???
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bob Walder
> Sent: Thursday, October 25, 2001 8:08 AM
> To: 'Grimes, Shawn (NIA/IRP)'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] FW: Two questions...
> 
> Actually, perhaps I should quickly modify my earlier caustic comments re
> Linux and IDS to say that Linux sucks OUT OF THE BOX - there are things that
> can be done to improve performance (the right drivers and some parameter
> tweaks for example), but I still prefer BSD for running Snort.
> 
> Regards,
> 
> Bob
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Grimes,
> Shawn (NIA/IRP)
> Sent: 25 October 2001 04:03
> To: 'snort-users at lists.sourceforge.net'
> Subject: [Snort-users] FW: Two questions...
> 
>  Alright I have two questions that I haven't been able to find answers for.
> Or at least answers that were satisfying.  Sorry if these are being repeated
> but I didn't see anything in any of the forums or any of the recent messages
> to this group.
> 
>  First the details:
> Redhat linux 7.2 on a dual 1.3 GHz PIII w/ 1 Gig of RAM
> Snort Version 1.8.1-RELEASE (Build 74)
> dumping to a MySQL database using the latest stable release
> 
>  1).  Snort keeps logging two entries of each alert.  There is definately
> only one instance of snort running, and there is only one interface that
> it's monitoring/active.  Has anyone had similar problems?
> 
>  2).  I'm on a network with probably 1,000 nodes.  The traffic ranges
> anywhere from 5Mbit/sec and I've seen as high as 20Mbit/sec.  The CPU
> utilization of SNORT is up to 99% constantly.  And I'm getting significant
> packet losses as you can imagine.  Is this too high of a demand for SNORT?
> If not, what are some ways I can lower the CPU usage and increase the amount
> of packets SNORT can handle?  Thanks for any suggestions.
> 
>  Thank You,
>  Shawn Grimes
>  NCTS
>  Gerontology Research Center
>  410-558-8007
>  grimessh at ...3368...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list