[Snort-users] Snort stopping - too much traffic?

Wayne T Work securitygauntlet at ...3130...
Tue Oct 29 08:32:06 EST 2002

You need to be some Snort system tuning.
First, you need to evaluate your rules. ONLY utilize the ones which are
relevant to the Network Architecture you have. Reporting on attaches or
signatures that have no ability to harm of degrade your network should be
disabled or removed.
Second, you should look at the prepossesses you are using. You need to ask
yourself "Do I really need this". If the answer is fuzzy at best then NO.
Third, you should look to see how you implementation is. Are you on a
Spanning Port on a switch, using a HUB, or (the best scenario) are you using
a Network TAP. All of these have issues that should be addresses from a
performance stand point. Especially the HUB which I have seen a LOT of
people put in conjunction with the firewalls inside or outside NIC to get
visibility. Hubs inside with other DMZ servers connected could be creating
"Collisions". Bad for IDS little box :(
I would do some of the above before looking into new hardware.

Good luck

Wayne T Work
Sr. Information Security Consultant
Security Gauntlet Consulting

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Scott
Sent: Tuesday, October 29, 2002 10:49 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort stopping - too much traffic?

I'm on RH 7.3, with 3COM NICS, and Snort 1.9. The computer is dual-cpu and
it only shows about 50% utilization, so I suspect the problem is the NICs.
Does anyone have a 100MB NIC recommendation?

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...]
Sent: Monday, October 28, 2002 5:27 PM
To: Scott Williams
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort stopping - too much traffic?

On Mon, 28 Oct 2002, Scott Williams wrote:

> I'm running Snort with a 100MB NIC and everything was fine until I
> started sending it more traffic. I'm now sending about 40Mbps to it
> and it will run for an hour or so and then stop. I get the syslog
> message "kernel: eth1: Too much work in interrupt, status e401". I
> wonder if this is what happens when the NIC buffers get too full.
> Anyone had a similar experience?

1.9.0 doesn't seem to exhibit this, or at least in my setup.  I'd guess that
you are running < 1.8.7.  Another thing that you might want to check is your
card, driver and kernel.  I know that a _LOT_ of folks are using it on quite
a bit more traffic (x 2.5+) with no issues.  That would tend to point to
your hardware and not to snort.

Is this a slow box or a 'generic' nic?  If so, you might want to consider
changing hardware.  If you dig around on Intel's site you can/could find a
'demo unit' offer for a 10/100/1000 card for $39.00 (USD).  Since NIC's are
cheaper than boxes, you might want to check that out.  :)


Erek Adams

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Wayne T Work (E-mail).vcf
Type: text/x-vcard
Size: 459 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021029/d9c51362/attachment.vcf>

More information about the Snort-users mailing list