[Snort-users] RE: Notes regarding success with snort 2.0 on low end hardware

Petriz, Pablo ppetriz at ...3815...
Tue Jun 17 11:21:12 EDT 2003

One word: didactic.

When i read your original mail i went to the snort manual, next the FAQs, 
but i feel that i was missing something. 

Thank you very much!


> -----Mensaje original-----
> De: Matt Kettler [mailto:mkettler at ...4108...]
> Enviado el: martes 17 de junio de 2003 12:40
> Para: Petriz, Pablo
> CC: 'snort-users at lists.sourceforge.net'
> Asunto: RE: Notes regarding success with snort 2.0 on low end hardware
> At 11:39 AM 6/17/2003 -0300, Petriz, Pablo wrote:
> >Hello Matt
> >
> >I am a "low end hardware" user too, and i want to know if 
> you can extend
> >your case a little bit and explain us (the non so technical 
> users of snort)
> >which are the pros, cons and howtos of the things you've set 
> up to do it.
> >
> >"I had set up snort by disabling conversation and portscan2, 
> used the lowmem
> >
> >config option and the -k none command line parameter and 
> tuned the ruleset
> >slightly. The process consumed a relatively meager 13mb of ram."
> Sure, I'll explain it a bit more, and if you've got further 
> questions feel 
> free to ask:
> Disabling conversation and portscan2:
> what it does: turns off two "resource hog" preprocessors in 
> snort that tend 
> to break low-end systems. (note: the conversation 
> preprocessor is the big 
> hog, and currently only exists to make portscan2 work the way 
> it does).
> how - edit snort.conf and comment out "preprocessor conversation: 
> <parameters>" and  "preprocessor portscan2: <parameters>"
> advantage - decrease in memory used and reduced packet-drop 
> rate due to 
> lower CPU overhead.
> disadvantage - you loose portscan2's ability to detect 
> portscanning of your 
> network. However on low-end hardware this preprocessor works 
> poorly as 
> dropped packets cause it to false-alarm, claiming "syn-ack" 
> scans anytime a 
> client in your network opens a webpage with large numbers of 
> images in them.
> Using the lowmem option:
> what it does: changes the way snort stores rule structures in 
> memory to the 
> same one used in snort 1.9.x. This uses a lot less memory, 
> but is slower 
> than the new method used by default in 2.0. If you have so 
> little memory 
> that using snort forces you to dig into a swap partition, 
> this can help 
> greatly.
> how - edit snort.conf and un-comment the line "config detection: 
> search-method lowmem"
> advantage - reduced memory usage (38 meg reduction on my 
> system, but will 
> vary depending on exact ruleset and network variables used.)
> disadvantage - slower processing of rules can cause increased 
> packet drops.
> Using the -k none parameter:
> what it does: disables IP checksum calculation in snort. If 
> snort is behind 
> a firewall or router that already re-assembles IP packets, 
> this check is 
> completely unnecessary, and even if snort is out in front the 
> check is of 
> limited value. It's certainly worth disabling these checks if your 
> packet-drop rate is unacceptably high due to a slow processor.
> how - add "-k none" to your command line when you start snort
> advantage - reduced packet-drop rate due to lower CPU overhead.
> disadvantage - snort won't detect packets with corrupted checksums.

More information about the Snort-users mailing list