[Snort-users] Performance Bottleneck
Daniel R. Miessler
danielrm26 at ...125...
Fri Apr 18 00:40:07 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
I am running Snort Version 1.9.1-db (Build 231) and PureSecure by
Demarc. It is sitting on a dual processor PII 500 with 512MB of
SDRAM and SCSI internals running Mandrake 9.1.
This seems all well and good, but I just dropped the box on a 100Mb
segment, and the machine is being completely owned by the load. I am
getting nearly half a million database events per 24 hour period, and
it takes something like 2-3 minutes to perform most queries on the
database after only a day of use (roughly 500,000 events).
Top shows that Snort takes a solid 60-90% processor load during peak
traffic times (only about 20-40% at night), and ANY search of the
database whatsoever pegs the processors out at 99.9% usage.
I understand that I could benefit from putting the sensor (Snort) and
httpd on one machine, and putting the database on another, but I am
wondering what else I am doing that is utterly lame enough to cause
My current thoughts are that this is just a high traffic segment, and
that I should go with a dual processor, all SCSI, P4 system, and
install Gentoo on it and start over. My thinking is that the
processor issue is the biggest problem and running a 4-5 year old
machine on a 100Mb segment isn't the way to go.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
-----END PGP SIGNATURE-----
More information about the Snort-users