[Snort-users] Snort and high-traffic lines

Jens Krabbenhoeft tschenz-snort-users at ...7018...
Wed Oct 2 08:28:54 EDT 2002


Hi all,

>   *  Change your disk subsystem to high end SCSI.
SCA SCSI now.

>   *  More RAM
1GB now.

>   *  Faster CPU
>   *  More CPU's if your OS will support them well.
Dual P3-1000 now.

> You might want to have a look at this link[0] as well.  It's message from
> Marty discussing this very thing.

I had a look at that before, but I didn't think that those things
applied to me - and as I know have MIPS, RAM, I/O and see snort still
dropping about 25% at rates >=70Mbps this turns out to be true -
unfortunately :|.

Are there any other hints for me, to get tweak the OS/snort so that I
can cope with that amount of traffic? Has anybody tried to split up
snort to sniff the same interface (with the same homenet etc.) but with
the ruleset split into three parts - would/could that help?

BTW: I also tried the snort-ng patch that was submitted to snort-devel
some days ago. There seems to be a buffer-overrun or anything like this,
because snort-ng segfaults regularly.

Regards,

	Jens




More information about the Snort-users mailing list