[Snort-users] Performance questions

Fernando Miguelez Palomo jtbmipaf at ...4632...
Tue Jan 22 00:46:09 EST 2002


You could try using FreeBSD instead of Linux since its packet capture 
device (BPF) is better. It delivers to libpcap several packets every 
system call instead of just one like Linux (this was true at least in 
older versions of libpcap). This saves system calls, which leads to a 
performance improvement.

On the other hand, try disabling all the preprocessors you don't need. 
Snort can't analize another packet until it has ended preprocessing and 
analizing the previous one (and logging the alert if the packet has 
triggered any rule). 

How many alerts are you getting? The more alerts you get the more likely 
are you going to drop packets, try tuning rules to obtain as few false 
alerts as possible. Which scheme of alerting do you use? More verbose 
alerts produce more disk activity (more delay until next packet analisis).

Regards,
Fernando.    

> 
> --__--__--
> 
> Message: 2
> From: Lucas de Carvalho Ferreira - BMS <lucas.ferreira at ...4619...>
> To: 'Saad Kadhi' <bsdguy at ...4401...>
> Cc: "'snort-users at lists.sourceforge.net'"
> 	 <snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] Performance questions
> Date: Mon, 21 Jan 2002 11:14:43 -0300
> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_001_01C1A285.F8E8A1F0
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> 
> Hello,
> 
> I running a 2.4.9 Linux kernel compiled by Red Hat. I installed Red Hat with
> a minimum install, with just about telnetd and syslog running. No X11
> either. My NIC is a 3COM 3c905b.
> 
> Regards,
> Lucas
> 
> > -----Original Message-----
> > From: Saad Kadhi [mailto:bsdguy at ...4401...]
> > Sent: Friday, January 18, 2002 8:14 PM
> > To: Lucas de Carvalho Ferreira - BMS
> > Cc: 'snort-users at lists.sourceforge.net'
> > Subject: Re: [Snort-users] Performance questions
> > 
> > 
> > On Fri, 2002-01-18 at 23:12, Lucas de Carvalho Ferreira - BMS wrote:
> > > Hello,
> > > 
> > > I am trying to monitor a high traffic 100Mbs switch port 
> > with snort on a 433
> > > MHz Celeron machine running Red Hat 7.2 but snort is 
> > dropping about 10% of
> > > the packets, even if the CPU load is at an average of 70% 
> > (seen with top).
> > > Is there any configuration tips for snort or for the Linux 
> > kernel to get
> > > better performance? Could it be an I/O performance problem? 
> > What kernel are you running ? how your RH is installed ? is 
> > it a minimal
> > install ? what type of network cards to you have ?
> > -- 
> > /Saad --  [bsdguy at ...4401...] 
> > [pgp keyid: 35592A6D http://pgp.mit.edu]
> > # buy a geek-in-a-can, point nozzle at technical problem and spray
> > # if desesperate degauss your screen. it might solve your pb as well
> > 
> 
> ------_=_NextPart_001_01C1A285.F8E8A1F0
> Content-Type: text/html;
> 	charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Diso-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2653.12">
> <TITLE>RE: [Snort-users] Performance questions</TITLE>
> </HEAD>
> <BODY>
> 
> <P><FONT SIZE=3D2>Hello,</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>I running a 2.4.9 Linux kernel compiled by Red Hat. I =
> installed Red Hat with a minimum install, with just about telnetd and =
> syslog running. No X11 either. My NIC is a 3COM 3c905b.</FONT></P>
> 
> <P><FONT SIZE=3D2>Regards,</FONT>
> <BR><FONT SIZE=3D2>Lucas</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>> -----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>> From: Saad Kadhi [<A =
> HREF=3D"mailto:bsdguy at ...4401...">mailto:bsdguy at ...4401...</A>]</F=
> ONT>
> <BR><FONT SIZE=3D2>> Sent: Friday, January 18, 2002 8:14 PM</FONT>
> <BR><FONT SIZE=3D2>> To: Lucas de Carvalho Ferreira - BMS</FONT>
> <BR><FONT SIZE=3D2>> Cc: 'snort-users at lists.sourceforge.net'</FONT>
> <BR><FONT SIZE=3D2>> Subject: Re: [Snort-users] Performance =
> questions</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> On Fri, 2002-01-18 at 23:12, Lucas de Carvalho =
> Ferreira - BMS wrote:</FONT>
> <BR><FONT SIZE=3D2>> > Hello,</FONT>
> <BR><FONT SIZE=3D2>> > </FONT>
> <BR><FONT SIZE=3D2>> > I am trying to monitor a high traffic =
> 100Mbs switch port </FONT>
> <BR><FONT SIZE=3D2>> with snort on a 433</FONT>
> <BR><FONT SIZE=3D2>> > MHz Celeron machine running Red Hat 7.2 =
> but snort is </FONT>
> <BR><FONT SIZE=3D2>> dropping about 10% of</FONT>
> <BR><FONT SIZE=3D2>> > the packets, even if the CPU load is at an =
> average of 70% </FONT>
> <BR><FONT SIZE=3D2>> (seen with top).</FONT>
> <BR><FONT SIZE=3D2>> > Is there any configuration tips for snort =
> or for the Linux </FONT>
> <BR><FONT SIZE=3D2>> kernel to get</FONT>
> <BR><FONT SIZE=3D2>> > better performance? Could it be an I/O =
> performance problem? </FONT>
> <BR><FONT SIZE=3D2>> What kernel are you running ? how your RH is =
> installed ? is </FONT>
> <BR><FONT SIZE=3D2>> it a minimal</FONT>
> <BR><FONT SIZE=3D2>> install ? what type of network cards to you =
> have ?</FONT>
> <BR><FONT SIZE=3D2>> -- </FONT>
> <BR><FONT SIZE=3D2>> /Saad --  [bsdguy at ...4401...] </FONT>
> <BR><FONT SIZE=3D2>> [pgp keyid: 35592A6D <A =
> HREF=3D"http://pgp.mit.edu" =
> TARGET=3D"_blank">http://pgp.mit.edu</A>]</FONT>
> <BR><FONT SIZE=3D2>> # buy a geek-in-a-can, point nozzle at =
> technical problem and spray</FONT>
> <BR><FONT SIZE=3D2>> # if desesperate degauss your screen. it might =
> solve your pb as well</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> </P>
> 
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C1A285.F8E8A1F0--
> 
> 





More information about the Snort-users mailing list