[Snort-users] droped packets

Matt Kettler mkettler at ...4108...
Mon Dec 29 11:20:01 EST 2003


At 10:36 AM 12/28/2003, khaled fawzy wrote:
>i run snort 2.0  over slackware the problem is my snort is dropping 55% 
>from packets . how can i make snort analyze all the packets . my snort 
>machine is P4 with 256 M RAM.

1) what kind of NIC do you have? if it's a Realtek 10/100mbit nic, toss it 
in a dumpster and buy a real network card.
2) Consider trying snort 2.1.x, or at LEAST make sure you're on 2.0.6... 
some things are a bit more efficient there.

3) tune.
         Make sure you've collapsed your HOME_NET and EXTERNAL_NET into as 
few ranges as possible.. multiple comma-separated ranges HURT badly.
         Turn off preprocessors that are hungry and you might not need.. 
portscan2 and conversation are very resource hungry
         Make sure your snort box isn't doing much else.
         Make sure you're not using something horribly inefficient for 
logging like text hex-dump packet logging.
                 (if you have piles of subdirectories named after IP 
addresses, you might want to consider
                 at least switching to tcpdump output)
         If you don't need checksum monitoring, try adding in -k none to 
the command line.



>and my network is about 200 pc. and it is switched 100MB network.
>
>the scond :
>can snort run in 1GB network? and if so what the minimumm requirements in 
>this snort machine.

It's been done, but takes a LOT of tuning.. it also takes a lot of 
hardware, but once you're talking about reasonable hardware, tuning is the 
bigger factor in getting good speed. I'm not sure of the specifics for 
hardware to use, but aim high. Think dedicated snort-only system using dual 
CPU's with the highest clockrates you can get, a fast scsi raid array disk 
system for logging, an efficient OS, and a decent NIC.






More information about the Snort-users mailing list