[Snort-users] Can I 'nice' snort process?
la at ...4425...
Thu Jan 10 12:48:02 EST 2002
Have you set your HOME_NET and EXTERNAL_NET variables? If not this is a
likley source of all the CPU use.
1. Remove rules that don't apply to your systems. If Windows, remove UNIX
2. Redure the rules that have "any" port number or destination.
3. Reduce the ICMP rules. Do your really need to log all the pings? If so,
do this on your firewall.
Take a look at the preprocessors, read the docs and make sure you need all
of them enabled.
I had issues with snort's ram usage growing. I disabled:
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor frag2: 16777216, 10
preprocessor stream4: timeout 10, maxbytes 16384
And the problem was solved.
On Thu, 10 Jan 2002, Tran, John wrote:
> I'm running snort on one of my web servers as a local IDS (don't ask me why,
> let's just go along w/ it for now..) and it takes up massive amounts of CPU
> (40%), which can be expected considering it's a large amount of traffic. It
> was suggested to me to run 'nice' on the process to throttle it's CPU usage,
> but I'm pretty sure throttling snort will cause it to drop a lot of packets.
> Is this true?
More information about the Snort-users