[Snort-users] Snort performance

Michael Steele michaels at ...9077...
Mon Feb 2 09:41:04 EST 2004

I see you have added pass rules, but have you disabled the rules you really
don't need? Trimming rules is a big thing like the 'web-coldfusion.rules' if
you don't have Coldfusion running why alert on it.

You could be overloading Snort. How much traffic are you monitoring?

What's really eating up the processor? Is it Snort or MySQL? You could move
MySQL to a different box.

Try adding more RAM, cheap and the most bang for your buck.

Kindest regards, 

The WINSNORT.com Management Team
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of SN ORT
> Sent: Thursday, January 29, 2004 8:42 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort performance
> Looking for some performance tips, and maybe I'm just
> overlooking something simple. Here's what I have and
> what I've done:
> -I use a pass.rules file that I put all of my false
> positives. Some of these are real specific, such as
> "pass any > $http_servers $http_ports ...etc ;content:
> "?open "
> -I use this pass.rules file because I assume that it
> would be a performance boost and putting pass rules in
> each rule file would be a waste since those files get
> updated everynight with a cron job, overwriting the
> pass rules.
> -The pass.rules file is the first rule file processed.
> This file has grown to 148 lines.
> -I've disabled tcpopt decoder. Don't know if this does
> any good anyways..simply because I choose to remain
> ignorant.
> -I've set my $home_net and $http_servers to specific
> class-c ranges, and set my $external_net to equal
> !home_net
> What else can I do? I'm using now a 500mhz with 256MB
> and I still get a steady 25% cpu usage. Also I can't
> seem to be able to add anymore pass rules, namely more
> http-specific rules. TIA!
> Cheese!
> Marc
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool. Try it!
> http://webhosting.yahoo.com/ps/sb/
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list