[Snort-users] RE: Notes regarding success with snort 2.0 on low end hardware
ppetriz at ...3815...
Tue Jun 17 11:21:12 EDT 2003
One word: didactic.
When i read your original mail i went to the snort manual, next the FAQs,
but i feel that i was missing something.
Thank you very much!
> -----Mensaje original-----
> De: Matt Kettler [mailto:mkettler at ...4108...]
> Enviado el: martes 17 de junio de 2003 12:40
> Para: Petriz, Pablo
> CC: 'snort-users at lists.sourceforge.net'
> Asunto: RE: Notes regarding success with snort 2.0 on low end hardware
> At 11:39 AM 6/17/2003 -0300, Petriz, Pablo wrote:
> >Hello Matt
> >I am a "low end hardware" user too, and i want to know if
> you can extend
> >your case a little bit and explain us (the non so technical
> users of snort)
> >which are the pros, cons and howtos of the things you've set
> up to do it.
> >"I had set up snort by disabling conversation and portscan2,
> used the lowmem
> >config option and the -k none command line parameter and
> tuned the ruleset
> >slightly. The process consumed a relatively meager 13mb of ram."
> Sure, I'll explain it a bit more, and if you've got further
> questions feel
> free to ask:
> Disabling conversation and portscan2:
> what it does: turns off two "resource hog" preprocessors in
> snort that tend
> to break low-end systems. (note: the conversation
> preprocessor is the big
> hog, and currently only exists to make portscan2 work the way
> it does).
> how - edit snort.conf and comment out "preprocessor conversation:
> <parameters>" and "preprocessor portscan2: <parameters>"
> advantage - decrease in memory used and reduced packet-drop
> rate due to
> lower CPU overhead.
> disadvantage - you loose portscan2's ability to detect
> portscanning of your
> network. However on low-end hardware this preprocessor works
> poorly as
> dropped packets cause it to false-alarm, claiming "syn-ack"
> scans anytime a
> client in your network opens a webpage with large numbers of
> images in them.
> Using the lowmem option:
> what it does: changes the way snort stores rule structures in
> memory to the
> same one used in snort 1.9.x. This uses a lot less memory,
> but is slower
> than the new method used by default in 2.0. If you have so
> little memory
> that using snort forces you to dig into a swap partition,
> this can help
> how - edit snort.conf and un-comment the line "config detection:
> search-method lowmem"
> advantage - reduced memory usage (38 meg reduction on my
> system, but will
> vary depending on exact ruleset and network variables used.)
> disadvantage - slower processing of rules can cause increased
> packet drops.
> Using the -k none parameter:
> what it does: disables IP checksum calculation in snort. If
> snort is behind
> a firewall or router that already re-assembles IP packets,
> this check is
> completely unnecessary, and even if snort is out in front the
> check is of
> limited value. It's certainly worth disabling these checks if your
> packet-drop rate is unacceptably high due to a slow processor.
> how - add "-k none" to your command line when you start snort
> advantage - reduced packet-drop rate due to lower CPU overhead.
> disadvantage - snort won't detect packets with corrupted checksums.
More information about the Snort-users