[Snort-users] Who can explain this?where is the bottleneck?

Edin Dizdarevic edin.dizdarevic at ...7509...
Fri May 16 10:39:03 EDT 2003


first: please try to use CR! Oh, I see, Outlook... forget it ;)


Is Snort loosing packets? What is the statistics saying? In Snort 2.0
the statistics seem to work good finally. Have you tried using
perfmonitor? How many packets is Snort "seeing"? Take off all the
machines and connect the tcpreplay-machine with the sensor with a
crossover cable. Don't worry, it will work. Try using more memory
on your sensor. Optimize your HD - Accoustic management off, UDMA5
transfer mode, 32Bit I/O-access, see hdparm --help. Try using 64Bit
machines. Try other NICs (3Com). Turn only unified logging on. Are you
using some IDS evasion techniques like insertion, fragmented packets,
fake resets or similar? Run as few processes on your sensor as

rocky wrote:
> I did some simple tests on snort on-line detection capacity
> yesterday. I check a tcpdump data with only 37 kinds of
> attacks.First, I turn off all useless precessors, indeed only frag2
> and telnet remain opening.Snort2.0 check this data "off-line" with
> only 37 rules. There find about 7700 events in about 5 seconds.
> Then I inject the tcpdump data by tcpreplay from my traffic
> producer and detect the traffic on my sensor. Here are the detected
> events with different traffic rates: 150M   3522 100M   3791 80M
> 3851 50M    3941 20M    4163 10M    4271
> I can not understand why snort can not find most events even in
> very low speed. I think it may be problem of my machines.
> My traffic producer is Intel 1.4G, 256RAM, Redhat 9.0, E1000 NIC. 
> My snort sensor is Intel 2.4G, 512RAM, Redhat 9.0, E1000 NIC. Where
> is the bottleneck? How can I to detect all the events on-line?
> Thanks very much.

Edin Dizdarevic
Networking Unit
Internet- & e-Security

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic at ...7509...
URL     http://www.interActive-Systems.de/security

More information about the Snort-users mailing list