[Snort-users] Performance and rule tuning
nate+snort at ...14258...
Tue Dec 2 13:30:03 EST 2008
Jefferson, Shawn wrote:
> I have a couple of questions about performance and rule tuning.
> I'm seeing quite a bit of dropped packets on one of my sensors.
> Traffic is about 30-60 Mb/s. From the reading I've done, it seems
> like the first thing is to make sure your variables are set in
> snort.conf, and probably the next is to move to mmaped pcap. I've
> attempted to do both of these, however, I was wondering if snort is
> actually using the mmapped pcap or not. Is there any way to tell?
> I did the following:
> - apt-get remove libpcap-dev
Maybe you also need to remove the libpcap package.
> - built the mmapped pcap
> - rebuilt snort
> - put PCAP_FRAMES=32768 in my script file that starts snort
You should then get "Using PCAP_FRAMES=32768" in /var/log/messages
when you start Snort. The normal message without Phil Wood's libpcap
is "Not Using PCAP_FRAMES".
Phil Wood also has an example in the README on his site showing how
to test PCAP_FRAMES after building tcpdump with his libpcap.
> There aren't many "how-to" articles out there for doing this, and I
> hope I did everything right.
> Rule Tuning:
> Is the optimal way of tuning out false positives using suppress
> rules in threshold.conf ? I am using oinkmaster to download new
> rules each day, so I'm assuming that commenting out rules won't
Use disablesid or enablesid in oinkmaster.conf to either comment out
rules that are enabled by default or enable rules that are commented
by default. If you want to disable a rule without running oinkmaster
again then you can manually comment the rule. You should still add
the disablesid line in your oinkmaster.conf or it will get
re-enabled the next time you run Oinkmaster.
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> Build the coolest Linux based applications with Moblin SDK & win
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in
> the world
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users