[Snort-users] Snort as Gigabit Sensor

Banniza Robert Robert.Banniza at ...9244...
Thu Jul 24 11:44:24 EDT 2003


Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
sensor? Currently, we are using a Broadcom Corporation NetXtreme BCM5703
Gigabit Ethernet (TG3 kernel module) Netgear card as the sniffing card. We
have set up a span port so that we can see all traffic on a Cisco 6509. The
sad thing is we are encountering 40% packet loss. The network interfaces
were statically compiled into the kernel and /etc/sysctl.conf was modified
with the following to provide larger buffers:

# increase Linux TCP buffer limits
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.rmem_default = 65536
net.core.wmem_default = 65536

# increase Linux autotuning TCP buffer limits
net.ipv4.tcp_rmem = 4096 87380 8388608 
net.ipv4.tcp_wmem = 4096 65536 8388608 
net.ipv4.tcp_mem = 8388608 8388608 8388608

# flush window size
net.ipv4.route.flush=1
net.core.netdev_max_backlog=2500

We have not performed any rule tuning yet and the current sustained
throughput we have seen through this connection is around  14Mb which is
nowhere close to gigabit speeds. Any ideas?

Thanks
Robert




More information about the Snort-users mailing list