[Snort-users] Snort 2.6.1.3 ignoring stream4

Paul Melson pmelson at ...11827...
Sat Apr 7 20:12:32 EDT 2007


On 4/6/07, Darryl Taylor <darryl.taylor at ...1935...> wrote:
> What size pipe is it monitoring (what's peak and sustained during
> business hours)? Which libpcap implementation is installed, standard,
> Phil Woods, or pfring?

The pipes' that this sensor is watching have an aggregate bandwidth of
about 24Mbps, and peak throughput is between 10-15Mbps with peak pps
rates in the 60-80 range.  The pcap library is the default libpcap
package that comes with RHEL4.

This issue is definitely tied to 2.6.1.3 and not the hardware.  I can
down-rev the config file and snort binary back to 2.6.0.2 on this box
and the CPU usage drops off dramatically.

PaulM




More information about the Snort-users mailing list