[Snort-users] Snort dropping packets

Erek Adams erek at ...950...
Mon Feb 2 14:59:10 EST 2004


On Mon, 2 Feb 2004, KS wrote:

> I have a Dual processor Dell poweredge 1600SC box having intel Xeon 2Ghz
> processors and 128 Meg Ram and it is running snort win32 version.  I can
> see a lot of alerts on acid console and cpu utlization of the box
> remains within 5 %.

Please add some memory to that box, else you're in for a world of pain.
Snort 2.x is quite a bit more memory hungry that the 1.x line.  So much
for the LIDS model, eh?  :)

> I have snort running in service mode  with following comand line through IDS
> centre.
>
> c:\Snort\bin\snort.exe -c "c:\Snort\etc\snort.conf" -l "c:\Snort\log" -i 1
>
> Quite interestingly When i run snort in VERBOSE mode using   snort -v -i1 on
> the command prompt, i can see snort logging packets and  when i stop it, it
> shows dropped packets and cpu utlization of the box, when i run snort in
> verbose mode, goes to 45- 50%

Normal and expected.

> Is it possible that snort is dropping packets only in verbose mode and not
> otherwise ?

Yep.

> Appreciate any help on this.
>
> Below are few lines taken from snort website :
>
> " If Snort is going to be used in a long term way as an IDS, the -v switch
> should be left off the command line for the sake of speed. The screen is a
> slow place to write data to, and packets can be dropped while writing to the
> display. "

If you're going to use Snort in an IDS mode, you _don't_ need -v or -d on
the command line.  Log all packets to binary (-b) or unified (snort.conf
change)  so that you get all the data.

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa




More information about the Snort-users mailing list