[Snort-users] Optimizing Linux Kernel for Snort

Phil Wood cpw at ...440...
Fri Jul 4 16:29:08 EDT 2003


You need memory.  I use 4 Gigs (but not for just one snort, I'm running
3 [2 on one gig ether, and 1 on the other gig e]).  You need 
the fastest multicpu system you can afford. My system is old (just 2, 1 gig
cpu's). 

And finally, you need the modifications to libpcap which I've been
"maintaining" for a few years.  Note, this only applies to Linux
systems, running 2.4.max.  (actually, a lie, it will work on 2.2
systems, but you have to install a patch.)

So, bring down the libpcap at:

  http://public.lanl.gov/cpw/libpcap-0.8.030609.tar.gz

and have at it.

Read the README, README.linux,  and the README.ring.

You will lose packets the more rules you run and the more preprocessors
enabled, if you are on a gig network tap.

I use the following environment variables when running snort:

PCAP_STATS=0x1fff
PCAP_VERBOSE=1
PCAP_FRAMES=max
PCAP_PERIOD=10000

These will generate packet statistics every 10 seconds, create a ring
buffer to hold 32768 full (1514 byte) packets.  The stats are written to
stderr.

You can generate graphs from these stats so your people can see what the
load is on the net your tap is on.

It's the 4th, I've had a few, and got to get back to the party,  Later,

Phil

On Fri, Jul 04, 2003 at 02:29:57PM -0600, Sam Evans wrote:
> Unfortunately, we are having to migrate our platform away from FreeBSD
> to Linux due to some constraints we are running into.  Long story, not a
> happy ending.  But, I'll do some searching on your suggested topic.
> 
> Thanks for the response!
> 
> -Sam
> 
> 
> -----Original Message-----
> From: Edin Dizdarevic [mailto:edin.dizdarevic at ...7509...] 
> Sent: Friday, July 04, 2003 1:08 PM
> To: Sam Evans
> Cc: snort
> Subject: Re: [Snort-users] Optimizing Linux Kernel for Snort
> 
> 
> 
> Sam Evans wrote:
> > Greetings All, and Happy Fourth of July to all the US Readers out
> there.
> > :)
> > 
> > I've got a question regarding optimizing a Linux 2.4.18 Kernel to get
> > the best performance for snort.  Does anyone have any tips?
> 
> Yeah, use OpenBSD ;)
> 
> just kidding, but don't forget this
> 
> <*> Packet socket
> [*]   Packet socket: mmapped IO
> 
> See the postings with topics like "Snort dropping packets..."
> 
> and using A LOT of memory is the best thing to do.
> 
> Have fun,
> 
> Edin
> 
> > 
> > Thanks,
> > Sam
> > 
> 
> -- 
> Edin Dizdarevic
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list