Thomas Springer tuev at ...4508...
Wed Jan 9 04:28:04 EST 2002

I've got a performance-problem:

We're running snort 1.8.3 on a Celeron 700/256MB RAM/Suse 7.3, monitoring a
network with about 10 MBit/s IP-Traffic.
We're using the standard-ruleset and the standard snort.conf, at the moment
we log with "-A fast -b -d".

Snort works fine, but it eats up between 50 and 99 percent CPU-time,
regardless if I use standard-logging, -A fast -b or the
output-unified-plugin. I even tried to exclude a big Gateway-Host with "not
host fat_inet_gate" - this reduces traffic to approx 7 MBit/s, but the
serverload stays the same.

Are there any known ways to optimize performance and reduce serverload?

I found, that un-defining a home-net reduces the cpu-load:
"var HOME_NET [217.x.x.0/24,193.x.x.0/24]"	means 60-90% cpu-load
"var HOME_NET any" means 30-60% cpu-load

Any hints for further optimizing ??

Will a rearrange of the rule application order help?
I'm using the standard "->activation->dynamic->alert->pass->log" at the


Thomas Springer

