[Snort-users] snort performance vs traffic

Rob Hughes rob at ...1932...
Wed Jul 10 05:24:55 EDT 2002

On Tue, 2002-07-09 at 09:27, Tim Prendergast wrote:
> All,
> Curious to see what you are running in comparison to my config, because
> my snort is running out of memory and dying every day during the busy
> hours.
> We're pushing like 4 T-1's worth of traffic coming in from the net, not
> to mention the traffic from our internal machines across the 100mb
> switch I am snorting. It's on a box with a 500mhz PIII and 256mb of
> memory. Am I way under-arming this machine for this task?

What OS. What does your snort.conf look like? What output plugins are
you using? Where are you logging to? But yes, possibly so, depending on
your rule set. Try running a reduced rule set and only output to a
binary log file and see if the problem continues. If not, then the box
is underpowered. If it does, then it's probably something else. You may
also need to look at things like barnyard which can de-couple the output
of snort from the database process.

