[Snort-users] Snort as Gigabit Sensor
irwanhadi at ...6580...
Sun Jul 27 00:24:03 EDT 2003
On Thu, Jul 24, 2003 at 02:27:15PM -0500, Banniza Robert wrote:
> Here's a little more information I forgot to provide in the first post. The
> machine is an IBM x335 Xeon with dual 2.6Ghz procs and 1GB RAM. As for the
> logging portion, I am not using Barnyard (yet)....We were setup to log to
> Postgres and to syslog. However, we did notice something interesting...With
> all logging turned off and just sniffing with the default ruleset, we were
> still dropping packets. Also, by placing 8 pass rules in local.rules, this
> accounted for about 6-7% of the packet loss. Therefore, if we turned the
> pass rules off (commented out local.rules), our packet loss would drop down
> to 33% or so.
First thing I would try is to throw away the Broadcom card that you have
and replace it to either Intel (preferably) or 3com.
the Broadcom card has always causing problem on Linux (on Dell Server
usually it makes the system locks up, etc.)
> -----Original Message-----
> From: Demetri Mouratis [mailto:dmourati at ...3877...]
> Sent: Thursday, July 24, 2003 2:19 PM
> To: Banniza Robert
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] Snort as Gigabit Sensor
> On Thu, 24 Jul 2003, Banniza Robert wrote:
> > Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
> > sensor? Currently, we are using a Broadcom Corporation NetXtreme BCM5703
> > Gigabit Ethernet (TG3 kernel module) Netgear card as the sniffing card. We
> > have set up a span port so that we can see all traffic on a Cisco 6509.
> > sad thing is we are encountering 40% packet loss. The network interfaces
> > were statically compiled into the kernel and /etc/sysctl.conf was modified
> > with the following to provide larger buffers:
> > We have not performed any rule tuning yet and the current sustained
> > throughput we have seen through this connection is around 14Mb which is
> > nowhere close to gigabit speeds. Any ideas?
More information about the Snort-users