[Snort-users] Snort and high-traffic lines

jsp1999 at ...348... jsp1999 at ...348...
Thu Oct 3 08:59:03 EDT 2002


> Hi all, 
>  
> >   *  Change your disk subsystem to high end SCSI. 
> SCA SCSI now. 
>  
> >   *  More RAM 
> 1GB now. 
>  
> >   *  Faster CPU 
> >   *  More CPU's if your OS will support them well. 
> Dual P3-1000 now. 
>  
> > You might want to have a look at this link[0] as well.  It's message 
> from 
> > Marty discussing this very thing. 
>  
> I had a look at that before, but I didn't think that those things 
> applied to me - and as I know have MIPS, RAM, I/O and see snort still 
> dropping about 25% at rates >=70Mbps this turns out to be true - 
> unfortunately :|. 
>  
> Are there any other hints for me, to get tweak the OS/snort so that I 
> can cope with that amount of traffic? Has anybody tried to split up 
> snort to sniff the same interface (with the same homenet etc.) but with 
> the ruleset split into three parts - would/could that help? 
>  
> BTW: I also tried the snort-ng patch that was submitted to snort-devel 
> some days ago. There seems to be a buffer-overrun or anything like this, 
> because snort-ng segfaults regularly. 
>  
> Regards, 
>  
>  Jens 
 
 
Hi, 
 
perhaps you have seen it already, a new version of snort-ng is uploaded on 
the snort-ng homepage, which fixes this problem. 
 
It would be nice to have some statistics whether snort-ng is really faster 
than the standard snort in a REAL production environment. You could 
provide something like that in order to get some objective view on 
snort-ng (and not just marketing stuff) 
 
regards, 
Jasper 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Günstige DSL- & Modem/ISDN-Tarife!





More information about the Snort-users mailing list