[Snort-users] performance related question

Chris Green cmg at ...1935...
Tue Aug 13 04:42:02 EDT 2002


"Zach Forsyth" <zach.forsyth at ...6337...> writes:

> Hi there,
>  
> Just wanted to ask what hardware most people are running on?  I have
> a Celeron 400, win2k, latest stable snort, ACID, mysql, etc. and
> seem to be dropping a lot of traffic.

First, try running in -A fast -b mode and then seeing what your packet
loss rates are. Is that a high alert rate?

> The snort box is connected to
> a 10mb hub and captures all traffic flowing past.  These are the
> statistics I get if I run snort under a command prompt and then
> ctrl-C it:
>  
> Snort analyzed 117056 out of 209072 packets, The kernel dropped
> 88722(42.436%) packets.
>  
> Does this mean I am dropping 42% of all packets? Or are these the
> packets that are meeting the rules and being processed by snort?

Packets dropped.

>  
> Also I wanted to ask whether people are using alert or log mode?
> I seem to have a lot more alerts captured into ACID with alert mode. 
>  
> I am about to change over to RH 7.3 but will have similar hardware. 

What OS do you have now?  What other things are eating cpu on the
machine?  What ethernet card do you have?

> Is a celeron400 capable of running on a fairly saturated 10mb link?

Theres a lot to that question :^)
-- 
Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-users mailing list