[Snort-users] Performance questions

Erek Adams erek at ...577...
Fri Jan 18 13:54:03 EST 2002


On Fri, 18 Jan 2002, Lucas de Carvalho Ferreira - BMS wrote:

> I am trying to monitor a high traffic 100Mbs switch port with snort on a 433
> MHz Celeron machine running Red Hat 7.2 but snort is dropping about 10% of
> the packets, even if the CPU load is at an average of 70% (seen with top).
> Is there any configuration tips for snort or for the Linux kernel to get
> better performance? Could it be an I/O performance problem?

Ummm...  Lucas, that's a bit of a small box for that kind of load.  Have a
look at this snipped email from Marty to the snort-users list from earlier
last year.

http://www.theadamsfamily.net/~erek/snort/perf.txt

If you want to see the whole email, it's archived at:
http://marc.theaimsgroup.com/?l=snort-users&m=100208652925991&w=2

For Linux specific tips, do some archive searching.  I don't run Linux so I've
not any useful info on it.  Check the archives for posts from Abe Getchell,
Phil Wood, and John Sage.  Off the top of my head, those guys leap to mind as
Linux-type folks.  :)

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-users mailing list