[Snort-users] Can I 'nice' snort process?

Frank la at ...4425...
Thu Jan 10 12:48:02 EST 2002


Have you set your HOME_NET and EXTERNAL_NET variables? If not this is a
likley source of all the CPU use.

Other strategies:

1. Remove rules that don't apply to your systems. If Windows, remove UNIX
signatures, etc.
2. Redure the rules that have "any" port number or destination.
3. Reduce the ICMP rules. Do your really need to log all the pings? If so,
do this on your firewall.

Take a look at the preprocessors, read the docs and make sure you need all
of them enabled.

I had issues with snort's ram usage growing. I disabled:

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384

And enabled:

preprocessor frag2: 16777216, 10
preprocessor stream4: timeout 10, maxbytes 16384


And the problem was solved.

Frank



On Thu, 10 Jan 2002, Tran, John wrote:

> I'm running snort on one of my web servers as a local IDS (don't ask me why,
> let's just go along w/ it for now..) and it takes up massive amounts of CPU
> (40%), which can be expected considering it's a large amount of traffic.  It
> was suggested to me to run 'nice' on the process to throttle it's CPU usage,
> but I'm pretty sure throttling snort will cause it to drop a lot of packets.
> Is this true?





More information about the Snort-users mailing list