[Snort-users] Snort performance concerns

Richard Bejtlich taosecurity at ...11827...
Fri Sep 30 08:39:29 EDT 2005


I heartily endorse suggestions by Jeff and Joel to use Barnyard.  It
is a tragedy that so many configuration guides and books neglect this
important aspect of running Snort with database support.

If you have the option to test your configuration on FreeBSD or
NetBSD, you might want to gather per-process packet loss metrics using
bpfstat.  I tested it on FreeBSD 6.0 recently.  [0] I don't know of an
equivalent way to collect the same sorts of data (in similar formats)
on Linux.  If anyone does, a reply here would be helpful.



[0] http://taosecurity.blogspot.com/2005/09/notes-on-network-security-monitoring.html

More information about the Snort-users mailing list