[Snort-users] snort dropping 48%

sgt_b sgt_b at ...11733...
Thu May 6 15:46:10 EDT 2004


Sheahan, Paul wrote:

>Also Snort STILL creates individual directories for
>each address it encounters. So many directories get created in reaches
>the Linux limit after a while and crashes Snort. I suppose Snort could
>be so busy with this that it may be contributing to the packet loss?
>
If you specify the -N switch it should not do any packet logging. I just 
tested this with `snort -d -l ./ -N -c /usr/local/etc/snort.conf'. It 
generates the alert file , but not any packet logs, sounds like you 
might not be using the -N switch properly (or the -N switch needs to be 
in a certain spot?). I could see how default packet logging could easily 
kill a server that runs on gigabit though.
While this may contribute to it, it doesn't sound like the root of your 
problem though as you've previously tried logging binary format.

Sheahan, Paul wrote:

> The content rules are the issue, but it is still a mystery why old 
> hardware and Snort version worked.

The real difference here is a amount of traffic snort needs to analyze. 
Gigabit ethernet is a 10x faster than standard. Thats a lot of packets!
What we really need is a response from someone who effectively runs 
snort on a gigabit network. Can snort run "out of the box" on a gigabit 
network efficiently (given decent hardware of course) or does it need to 
be tweaked to prevent major packet loss?

As for your current situation Paul, would it be feasible to share the 
load between multiple sensors? Each sensor containing 100 of your custom 
rules? That might work to get every packet on the wire without having to 
sacrifice some of snort's features for speed.
Just an idea. :)

sgt_b




More information about the Snort-users mailing list