[Snort-users] Performance questions

Abe L. Getchell abegetchell at ...530...
Fri Jan 18 23:25:01 EST 2002

Hi Lucas!

Well, it _could_ be anything. =)  Here are some things you can do that
I've found to be very effective while monitoring high-volume networks.
A couple of these were also mentioned in this thread already by

1) Spend a couple of days, or a week, tuning the signatures for your
environment.  This will make a _huge_ difference in how Snort performs
on _any_ platform; it will be well worth the time you'll spend doing it.

2) Log in fast alerting and binary logging mode.  This has been noted in
the Snort user manual and FAQ, on this list, and in every presentation
I've heard Marty give at various conferences as giving a significant
performance increase over ASCII logging mode.

3) Make sure you have high-quality NICs in your sensor.  For the 10/100
environment, I usually stick with the Intel PRO/100 cards.  Myself, as
well as others on the list, have had good luck with these.

4) Make sure you have a high performance disk subsystem so Snort doesn't
have to spend all it's time waiting for disk I/O to complete when it
should be parsing packets!  Along the same lines, check out Barnyard at
the Snort web site.  I personally haven't played with it much, and I
wouldn't put it in production yet 'cause it's still beta code, but it
could help ease the problem if disk I/O is the issue.

5) Make sure you have the _fastest_ processor you can afford.  Nothing
beats raw processing power, which is getting cheap these days.  I've
read here, as well as from other sources, that a PIII 1.0GHz running on
Linux in a tuned configuration can keep up with 100Mb/sec+ pretty

6) Compile what you can from source!  Don't rely on the pre-built RPM's
from the Snort web site as they may have been built with compile-time
options not best suited for your environment.  This _can_ make a big
difference if done correctly.

7) Recompile your kernel without all the crap the you don't need.  Red
Hat puts a lot of extra stuff in the kernel so users will have the best
functionality but at the expense of squeezing every last drop of
performance out of the system.  Only you know what you need, or don't
need, so it's hard to say exactly what can be left in or taken out.

I hopefully will be able to get my personal site up some time within the
next week where I'll be putting some detailed instructions about how to
setup a high-performance and _very_ stable Snort sensor based on the
Snort 1.8.3 release and Red Hat Linux 7.2; the configuration detailed
has gone through thousands of hours in high-volume production and test
networks with _great_ results.  I have it all scribbled down on paper, I
just need to convert it to HTML. =)

Hope this helped.


Abe L. Getchell
Security Engineer
abegetchell at ...530...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Lucas de
Carvalho Ferreira - BMS
Sent: Friday, January 18, 2002 5:12 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Performance questions

I am trying to monitor a high traffic 100Mbs switch port with snort on a
433 MHz Celeron machine running Red Hat 7.2 but snort is dropping about
10% of the packets, even if the CPU load is at an average of 70% (seen
with top). Is there any configuration tips for snort or for the Linux
kernel to get better performance? Could it be an I/O performance
Thanks a lot, 
Lucas C. Ferreira 
Senior IT Analyst 
BMS - Belgo-Mineira Sistemas 
phone: +55-31-32174116 

More information about the Snort-users mailing list