[Snort-users] Performance and rule tuning

Nathaniel Richmond nate+snort at ...14258...
Tue Dec 2 13:30:03 EST 2008


Replies inline.

Nate

Jefferson, Shawn wrote:
> Hi,
>
> I have a couple of questions about performance and rule tuning.
>
> Performance:
>
> I'm seeing quite a bit of dropped packets on one of my sensors.
> Traffic is about 30-60 Mb/s.  From the reading I've done, it seems
> like the first thing is to make sure your variables are set in
> snort.conf, and probably the next is to move to mmaped pcap.  I've
> attempted to do both of these, however, I was wondering if snort is
> actually using the mmapped pcap or not. Is there any way to tell?
>
> I did the following:
> - apt-get remove libpcap-dev

Maybe you also need to remove the libpcap package.

> - built the mmapped pcap
> - rebuilt snort
> - put PCAP_FRAMES=32768 in my script file that starts snort

You should then get "Using PCAP_FRAMES=32768" in /var/log/messages
when you start Snort. The normal message without Phil Wood's libpcap
is "Not Using PCAP_FRAMES".

Phil Wood also has an example in the README on his site showing how
to test PCAP_FRAMES after building tcpdump with his libpcap.
http://public.lanl.gov/cpw/pcapREADME.html

>
> There aren't many "how-to" articles out there for doing this, and I
> hope I did everything right.
>
> Rule Tuning:
>
> Is the optimal way of tuning out false positives using suppress
> rules in threshold.conf ?  I am using oinkmaster to download new
> rules each day, so I'm assuming that commenting out rules won't
> work.

Use disablesid or enablesid in oinkmaster.conf to either comment out
rules that are enabled by default or enable rules that are commented
by default. If you want to disable a rule without running oinkmaster
again then you can manually comment the rule. You should still add
the disablesid line in your oinkmaster.conf or it will get
re-enabled the next time you run Oinkmaster.

>
> Thanks!
> Shawn
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list