[Snort-users] Snort on networks with heavy load.

John-Magne Bredal bredal at ...4842...
Mon Feb 4 05:24:02 EST 2002

Hmm, don't get this in my mail so I paste the Subject...

Anyway thanks for the answer! Some more:

> don't log portscans, cut out the icmps.
> cut the ruleset as far as possible, try the fast-options for logging
> instead of logging directly to the db.
> snort catches 100% packets of approx. 8-12 MBit/s here on an out of the
> box Celeron 700/256MB.

I have cutted the portscans, they spam too much to give any real
information anyway. I tried mirroring the traffic on about 10k computers
to Snort, resulted in a cpu usage of 99.9% BUT Snort said it didn't loose
any packets?! I find that very strange.

I run Mandrake 8.1, no X, 1G ram, dual 450Mhz cpu's.

> if you have multiple subnets, it could make sense to use multiple
> snort-processes for these as well.

Yes, I have considered that. The main problem with multiple sensors is
that there are more things to control and superwise. My ultimate goal is
to make a system that searches the alerts and extracts the most vital
information (that is filters out the "fake" alerts) and then message the
security-team by sms or email. Of course there is the problem about
real-time alerting, but as I consider the human responstime as the
largest anyway... well, we'll se how it works out...

John Magne Bredal
Student ved NTNU - Telematikk
bredal at ...4842...

"Just because you're paranoid, doesn't mean they're not after you."

More information about the Snort-users mailing list