[Snort-users] Improving Snort Performance?
mark at ...5096...
Thu Mar 14 13:32:17 EST 2002
Ok, I've tuned my kernel. Installed Phil Wood's MMAP'd libpcap (Hi
Phil) so that I don't lose packets with bursty traffic. Tuned my
ruleset, What other tricks are there for improving snort performance?
I can't remember who it was, but someone suggested the
[ip/mask,ip/mask,ip/mask] notation for $HOME_NET was causing problems
and it was quicker to list them and a set of rules for each one - anyone
else tried this on a live sensor? - I'll try it tomorrow to see if it
makes much difference - does anyone have any more ideas?
What experience have people had with barnyard yet? Does it really make
that much difference in IDS mode since we're hopefully only alerting
relatively infrequently in comparison with the number of packets being
seen by the sensor.
What's the score on the AC_BM pattern match stuff?
Do we need an FAQ section for performance (Marty???)
Mark Vevers. mark at ...5096... / mvevers at ...5097...
Internet Backbone Engineering Team
Internet for Learning, Research Machines Plc
More information about the Snort-users