[Snort-users] Optimizing Linux Kernel for Snort & Hardware

Miguel Rosales MRosales at ...8449...
Fri Jul 4 14:27:10 EDT 2003


I share your impression respect to this subject, but ..... based on the
experience (or your experience) of each one of the users something can be
considered or not?, it is not necessary to be so specific.




|---------+---------------------------------------->
|         |           Edin Dizdarevic              |
|         |           <edin.dizdarevic at ...9607...|
|         |           Systems.de>                  |
|         |                                        |
|         |           04-07-2003 17:12             |
|         |           Please respond to            |
|         |           edin.dizdarevic              |
|         |                                        |
|---------+---------------------------------------->
  >-----------------------------------------------------------------------------------------------------|
  |                                                                                                     |
  |       To:       Miguel Rosales <MRosales at ...8449...>                                                 |
  |       cc:       snort <snort-users at lists.sourceforge.net>                                           |
  |       Subject:  Re: [Snort-users] Optimizing Linux Kernel for Snort & Hardware                      |
  >-----------------------------------------------------------------------------------------------------|





Well I'm afraid that is simply not possible because of the different
network
environments. It depends very much on your clients and servers. Even on if
you
use Apache or IIS. Don't forget that the greatest impact on the Snort
performance is still depending on how many rules you have. And that is
great, at
the end.

You will never be able to say that much traffic == that much Snort. You
can't
even predict such things with "simple static webservers" properly, can you?
You simply have to test the things and watch for packet drops and then
react.

Regards,

Edin




Miguel Rosales wrote:
> Somebody knows the criteria that were due to consider to determine the
> proportions the necessary hardware for different scenes where it is
desired
> to use snort. Something that it relates for example the number of hosts
in
> my $HOME_NET respect to the memory or necessary processor.
>
> TIA.
>
> // Miguel
>
>
>
>
> |---------+---------------------------------------->
> |         |           Edin Dizdarevic              |
> |         |           <edin.dizdarevic at ...9607...|
> |         |           Systems.de>                  |
> |         |           Sent by:                     |
> |         |           snort-users-admin at ...635...|
> |         |           eforge.net                   |
> |         |                                        |
> |         |                                        |
> |         |           04-07-2003 15:07             |
> |         |           Please respond to            |
> |         |           edin.dizdarevic              |
> |         |                                        |
> |---------+---------------------------------------->
>   >
-----------------------------------------------------------------------------------------------------|

>   |
|
>   |       To:       Sam Evans <sam at ...5202...>
|
>   |       cc:       snort <snort-users at lists.sourceforge.net>
|
>   |       Subject:  Re: [Snort-users] Optimizing Linux Kernel for Snort
|
>   >
-----------------------------------------------------------------------------------------------------|

>
>
>
>
>
>
> Sam Evans wrote:
>
>>Greetings All, and Happy Fourth of July to all the US Readers out there.
>>:)
>>
>>I've got a question regarding optimizing a Linux 2.4.18 Kernel to get
>>the best performance for snort.  Does anyone have any tips?
>
>
> Yeah, use OpenBSD ;)
>
> just kidding, but don't forget this
>
> <*> Packet socket
> [*]   Packet socket: mmapped IO
>
> See the postings with topics like "Snort dropping packets..."
>
> and using A LOT of memory is the best thing to do.
>
> Have fun,
>
> Edin
>
>
>>Thanks,
>>Sam
>>
>
>
> --
> Edin Dizdarevic
>
--
Edin Dizdarevic









More information about the Snort-users mailing list