[Snort-users] Improving overall performance of snort and stopping those drops

Scott Zawalski scott.zawalski at ...5689...
Wed Nov 5 01:57:06 EST 2003

I am using snort to collect packets on a gig connection that gets on 
average 1.3 tB/s.

P4 3 Ghz
333MHZ 4Gig Ram
Linux Kernel 2.4.20

Snort 2.0.2
Rules ~8
Libpcap with shared memory ring buffers (http://public.lanl.gov/cpw/)
Log out: Unified using barnyard for mysql insertion

Without the  above libpcap I was dropping between 30% and 40%, however 
with it my loss dropped down to between 10% and 20%!

What else can I do to get that extra bit down to 0? The machine should 
be capable of this shouldn't it? What is my limiting factor now? Is 
there a huge advancement in performance in the 2.6.x kernel branch? What 
about CVS Snort?

I do not want to use BPFs because I do not want to blind my IDS in 
anyway. The Snort setup is internal to our subnet anyways so all traffic 
it sees is our traffic.

Any tips or tricks are greatly appreciated!

Thank you,

More information about the Snort-users mailing list