[Snort-users] RE: Notes regarding success with snort 2.0 on low end hardware

Matt Kettler mkettler at ...4108...
Tue Jun 17 08:42:08 EDT 2003

At 11:39 AM 6/17/2003 -0300, Petriz, Pablo wrote:
>Hello Matt
>I am a "low end hardware" user too, and i want to know if you can extend
>your case a little bit and explain us (the non so technical users of snort)
>which are the pros, cons and howtos of the things you've set up to do it.
>"I had set up snort by disabling conversation and portscan2, used the lowmem
>config option and the -k none command line parameter and tuned the ruleset
>slightly. The process consumed a relatively meager 13mb of ram."

Sure, I'll explain it a bit more, and if you've got further questions feel 
free to ask:

Disabling conversation and portscan2:
what it does: turns off two "resource hog" preprocessors in snort that tend 
to break low-end systems. (note: the conversation preprocessor is the big 
hog, and currently only exists to make portscan2 work the way it does).
how - edit snort.conf and comment out "preprocessor conversation: 
<parameters>" and  "preprocessor portscan2: <parameters>"
advantage - decrease in memory used and reduced packet-drop rate due to 
lower CPU overhead.
disadvantage - you loose portscan2's ability to detect portscanning of your 
network. However on low-end hardware this preprocessor works poorly as 
dropped packets cause it to false-alarm, claiming "syn-ack" scans anytime a 
client in your network opens a webpage with large numbers of images in them.

Using the lowmem option:
what it does: changes the way snort stores rule structures in memory to the 
same one used in snort 1.9.x. This uses a lot less memory, but is slower 
than the new method used by default in 2.0. If you have so little memory 
that using snort forces you to dig into a swap partition, this can help 
how - edit snort.conf and un-comment the line "config detection: 
search-method lowmem"
advantage - reduced memory usage (38 meg reduction on my system, but will 
vary depending on exact ruleset and network variables used.)
disadvantage - slower processing of rules can cause increased packet drops.

Using the -k none parameter:
what it does: disables IP checksum calculation in snort. If snort is behind 
a firewall or router that already re-assembles IP packets, this check is 
completely unnecessary, and even if snort is out in front the check is of 
limited value. It's certainly worth disabling these checks if your 
packet-drop rate is unacceptably high due to a slow processor.
how - add "-k none" to your command line when you start snort
advantage - reduced packet-drop rate due to lower CPU overhead.
disadvantage - snort won't detect packets with corrupted checksums.

More information about the Snort-users mailing list