[Snort-users] Can I 'nice' snort process?

Saad Kadhi bsdguy at ...4401...
Thu Jan 10 13:11:02 EST 2002


On Thu, 2002-01-10 at 20:19, Tom Sevy wrote:
> Can you refer me to any guidelines for tuning the Freebsd kernel in ways
> that would help Snort's performance?
well first thing you should really consider is tune the snort
configuration itself. tweak logging since file i/o cost some cpu. then
enable softupdates on your partitions.it'll speed up some file system
operations a lot. though softupdates is pretty stable, I'd advise you to
backup the box first thing before enabling it. Next, consider stripping
down the kernel to the minimum. The smaller the kernel is, the faster is
your box. Then get a look at:
http://www.daemonnews.org/200108/benchmark.html
http://www.freebsd.org/handbook/

if you are running short of mbufs, rise NMBCLUSTERS & the like (for the
VM). For a VERY GOOD description of all the tweaking/tuning options a
FreeBSD kernel has & given you have a copy of the source tree, look @:
/usr/src/sys/i386/conf/LINT. each option is explained there. As to what
pertains to snort itself, ask Marty&crew what snort needs to run faster.
it is beyond my knowledge (though I suspect fs i/o, fds, ...etc. the
usual suspects!).

HTH

> 
> -----Original Message-----
> From: Saad Kadhi [mailto:bsdguy at ...4401...] 
> Sent: Thursday, January 10, 2002 1:58 PM
> To: Tran, John
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] Can I 'nice' snort process?
> 
> 
> On Thu, 2002-01-10 at 19:03, Tran, John wrote:
> > I'm running snort on one of my web servers as a local IDS (don't ask me
> why,
> > let's just go along w/ it for now..) and it takes up massive amounts of
> CPU
> > (40%), which can be expected considering it's a large amount of traffic.
> It
> > was suggested to me to run 'nice' on the process to throttle it's CPU
> usage,
> > but I'm pretty sure throttling snort will cause it to drop a lot of
> packets.
> > Is this true?
> yep at least to my field knowledge. But instead of nice-ing, you could
> log less stuff, tune up your kernel, etc...
> 
> regards.
> 
> -- 
> /Saad --  [bsdguy at ...4401...] 
> [pgp keyid: 35592A6D http://pgp.mit.edu]
> # buy a geek-in-a-can, point nozzle at technical problem and spray
> # if desesperate degauss your screen. it might solve your pb as well
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-- 
/Saad --  [bsdguy at ...4401...] 
[pgp keyid: 35592A6D http://pgp.mit.edu]
# buy a geek-in-a-can, point nozzle at technical problem and spray
# if desesperate degauss your screen. it might solve your pb as well





More information about the Snort-users mailing list