[Snort-users] Performance Bottleneck

Daniel R. Miessler danielrm26 at ...125...
Fri Apr 18 00:40:07 EDT 2003

Hash: SHA1


I am running Snort Version 1.9.1-db (Build 231) and PureSecure by
Demarc.  It is sitting on a dual processor PII 500 with 512MB of
SDRAM and SCSI internals running Mandrake 9.1.

This seems all well and good, but I just dropped the box on a 100Mb
segment, and the machine is being completely owned by the load.  I am
getting nearly half a million database events per 24 hour period, and
it takes something like 2-3 minutes to perform most queries on the
database after only a day of use (roughly 500,000 events).

Top shows that Snort takes a solid 60-90% processor load during peak
traffic times (only about 20-40% at night), and ANY search of the
database whatsoever pegs the processors out at 99.9% usage.  

I understand that I could benefit from putting the sensor (Snort) and
httpd on one machine, and putting the database on another, but I am
wondering what else I am doing that is utterly lame enough to cause
this problem.

My current thoughts are that this is just a high traffic segment, and
that I should go with a dual processor, all SCSI, P4 system, and
install Gentoo on it and start over.  My thinking is that the
processor issue is the biggest problem and running a 4-5 year old
machine on a 100Mb segment isn't the way to go.


Version: PGP 8.0.2


More information about the Snort-users mailing list