[Snort-users] Improving overall performance of snort and stopping those drops
scott.zawalski at ...5689...
Wed Nov 5 01:57:06 EST 2003
I am using snort to collect packets on a gig connection that gets on
average 1.3 tB/s.
P4 3 Ghz
333MHZ 4Gig Ram
Linux Kernel 2.4.20
Libpcap with shared memory ring buffers (http://public.lanl.gov/cpw/)
Log out: Unified using barnyard for mysql insertion
Without the above libpcap I was dropping between 30% and 40%, however
with it my loss dropped down to between 10% and 20%!
What else can I do to get that extra bit down to 0? The machine should
be capable of this shouldn't it? What is my limiting factor now? Is
there a huge advancement in performance in the 2.6.x kernel branch? What
about CVS Snort?
I do not want to use BPFs because I do not want to blind my IDS in
anyway. The Snort setup is internal to our subnet anyways so all traffic
it sees is our traffic.
Any tips or tricks are greatly appreciated!
More information about the Snort-users