[Snort-users] Snort on networks with heavy load.

Thomas Springer tuev at ...4508...
Mon Feb 4 03:17:07 EST 2002

>I wonder if there are any other Snort-users that have any experience in
>using Snort on heavily loaded networks? I would be glad to get some advice

>500 workstations here and ~20 heavy-traffic-web/application-servers here,
>10.000 alarms/day.

don't log portscans, cut out the icmps.
cut the ruleset as far as possible, try the fast-options for logging
instead of logging directly to the db.
snort catches 100% packets of approx. 8-12 MBit/s here on an out of the box
Celeron 700/256MB.

>Currently I have removed a lot of signatures, and Snort is not getting all
>our traffic. I am logging to a Mysql db, and using ACID as web-frontend
>(which is SLOW btw). The number of daily alerts is between 5k and 10k.

we're using snortsnarf as frontend (problem: eats up _massive_ amounts of
mem when analyzing big logfiles).
another possibility is to use multiple snort-sensors for different networks
or rulesets.
e.g. one for the proxies/gatways connecting your users to the net, one for
the servers outside dmz and one for servers inside dmz. there's usually no
prob with running two or three sensors on one machine.
if you have multiple subnets, it could make sense to use multiple
snort-processes for these as well.

what i see here is, that the usual net-noise (nimda, code-red,
proxyscans....) differs extremely depending on the subnet (I monitor a few
195.30.* and 217.5.*) and depending on the machines on my side of the
network (workstations // servers) - so i decided to separate these in
different snorts.

you'll always have part of this net-noise in your logs - the art is, to see
the different or new alerts or patterns.

sorry for not having the golden rule,


Thomas Springer

More information about the Snort-users mailing list