[Snort-users] Snort 2.0.4 CPU Utilization\Optimization

Mark Ewert mewert at ...10516...
Fri Nov 21 10:04:10 EST 2003

I figure out another potential cause of my problem - the E1000 Nic in
the system was supposed to be 64bit/133mhz for the PCI-X slot but it
turns out to be only 32/66! So - NIC upgrade forthwith. 


Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services

-----Original Message-----
From: Edin Dizdarevic [mailto:edin.dizdarevic at ...7509...] 
Sent: Friday, November 21, 2003 3:27 AM
To: Mark Ewert
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort 2.0.4 CPU Utilization\Optimization


You probably do not have much space for further optimizations regarding
your system.

For your libpcap you may try settings like "PCAP_FRAMES=max snort ..."

Try further optimizing your ruleset, deactivating all unnecessary rules.
500 rules are not so many but my experience is, that for common server
environments something about 100-150 rules are more than enough.

It would be interessting to know how your network environment looks

The next issue are the preprocessors. Do you need all of them?

Are you really using IIS as well as Apache? The only relevant setting
for Apache is "full_whitespace". You can deactivate the rest.

Concider deactivating

For memcap try something up to 32MBs. Checkt the memory consumption
anyway. What other processec dou you have on the machine running.

Deactivate ports you're not using.
Port 53 -> DNS is using UDP, AFAIK Stream4_reassemble is for TCP only.

timeout: 60 seconds -> Check how long your systems are waiting for
fragments. For ex. Linux will only wait 30s. Set this accordingly.
Give frag2 mor memory. If you have your sensor behind a Linux firewall
deactivate this preprocessor since Netfilter always defragments.

Concider dactivating.


Mark Ewert schrieb:
> Greetings,
> Thanks in advance!

Edin Dizdarevic

This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or 
other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.

More information about the Snort-users mailing list