[Snort-users] Snort dropping packets
erek at ...950...
Mon Feb 2 14:59:10 EST 2004
On Mon, 2 Feb 2004, KS wrote:
> I have a Dual processor Dell poweredge 1600SC box having intel Xeon 2Ghz
> processors and 128 Meg Ram and it is running snort win32 version. I can
> see a lot of alerts on acid console and cpu utlization of the box
> remains within 5 %.
Please add some memory to that box, else you're in for a world of pain.
Snort 2.x is quite a bit more memory hungry that the 1.x line. So much
for the LIDS model, eh? :)
> I have snort running in service mode with following comand line through IDS
> c:\Snort\bin\snort.exe -c "c:\Snort\etc\snort.conf" -l "c:\Snort\log" -i 1
> Quite interestingly When i run snort in VERBOSE mode using snort -v -i1 on
> the command prompt, i can see snort logging packets and when i stop it, it
> shows dropped packets and cpu utlization of the box, when i run snort in
> verbose mode, goes to 45- 50%
Normal and expected.
> Is it possible that snort is dropping packets only in verbose mode and not
> otherwise ?
> Appreciate any help on this.
> Below are few lines taken from snort website :
> " If Snort is going to be used in a long term way as an IDS, the -v switch
> should be left off the command line for the sake of speed. The screen is a
> slow place to write data to, and packets can be dropped while writing to the
> display. "
If you're going to use Snort in an IDS mode, you _don't_ need -v or -d on
the command line. Log all packets to binary (-b) or unified (snort.conf
change) so that you get all the data.
"It looks just like a Telefunken U-47. You'll love it..." -- Frank Zappa
More information about the Snort-users