[Snort-users] Improving Snort Performance?

Mark Vevers mark at ...5096...
Thu Mar 14 13:32:17 EST 2002


Ok, I've tuned my kernel.  Installed Phil Wood's MMAP'd libpcap (Hi 
Phil) so that I don't lose packets with bursty traffic.  Tuned my 
ruleset, What other tricks are there for improving snort performance?

I can't remember who it was, but someone suggested the 
[ip/mask,ip/mask,ip/mask] notation for $HOME_NET was causing problems 
and it was quicker to list them and a set of rules for each one - anyone 
else tried this on a live sensor?  - I'll try it tomorrow to see if it 
makes much difference - does anyone have any more ideas?

What experience have people had with barnyard yet?  Does it really make 
that much difference in IDS mode since we're hopefully only alerting 
relatively infrequently in comparison with the number of packets being 
seen by the sensor.

What's the score on the AC_BM pattern match stuff?

Do we need an FAQ section for performance (Marty???)

Mark

-- 
Mark Vevers.    mark at ...5096... / mvevers at ...5097...
Internet Backbone Engineering Team
Internet for Learning, Research Machines Plc






More information about the Snort-users mailing list