[Snort-users] snort performance vs traffic

Rob Hughes rob at ...1932...
Wed Jul 10 05:24:55 EDT 2002

On Tue, 2002-07-09 at 09:27, Tim Prendergast wrote:
> All,
> Curious to see what you are running in comparison to my config, because
> my snort is running out of memory and dying every day during the busy
> hours.
> We're pushing like 4 T-1's worth of traffic coming in from the net, not
> to mention the traffic from our internal machines across the 100mb
> switch I am snorting. It's on a box with a 500mhz PIII and 256mb of
> memory. Am I way under-arming this machine for this task?

What OS. What does your snort.conf look like? What output plugins are
you using? Where are you logging to? But yes, possibly so, depending on
your rule set. Try running a reduced rule set and only output to a
binary log file and see if the problem continues. If not, then the box
is underpowered. If it does, then it's probably something else. You may
also need to look at things like barnyard which can de-couple the output
of snort from the database process.

Remember: the only difference between
being the champ and the chump is u.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 210 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020710/fac2a1ab/attachment.sig>

More information about the Snort-users mailing list