[Snort-users] Performance and rule tuning (linux)

Phil Wood cpw at ...440...
Tue Dec 2 14:00:11 EST 2008


I maintain the version of the mmaped libpcap at:


There is some help on how to build the libpcap and an example
incantation which may fail, unless you have around 16 gigs of memory.  I
haven't spent the time on a nice algorithm to determine just how much
shared memory to steal for the duration.  I have a feeling that taking
too much at start up, may create problems later on, when other
applications need a shot.  You could run top on your machine or check
out /proc/meminfo over a period of time and look for fluctuations and
choose a PCAP_MEMORY value (in Kbytes) which
will not affect normal operations on your sensor.

You might want to 'rm -rf config' before running the bootstrap script.
Also, you may need to install the following:

  apt-get install libtool automake autoconf flex bison

Let me know how it goes.

On Tue, 2008-12-02 at 10:36 -0700, Jefferson, Shawn wrote:
> Hi,
> I have a couple of questions about performance and rule tuning.
> Performance:
> I’m seeing quite a bit of dropped packets on one of my sensors.
> Traffic is about 30-60 Mb/s.  From the reading I’ve done, it seems
> like the first thing is to make sure your variables are set in
> snort.conf, and probably the next is to move to mmaped pcap.  I’ve
> attempted to do both of these, however, I was wondering if snort is
> actually using the mmapped pcap or not. Is there any way to tell?
> I did the following:
> - apt-get remove libpcap-dev
> - built the mmapped pcap
> - rebuilt snort
> - put PCAP_FRAMES=32768 in my script file that starts snort
> There aren’t many “how-to” articles out there for doing this, and I
> hope I did everything right.
> Rule Tuning:
> Is the optimal way of tuning out false positives using suppress rules
> in threshold.conf ?  I am using oinkmaster to download new rules each
> day, so I’m assuming that commenting out rules won’t work.
> Thanks!
> Shawn
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
C. Philip Wood, Int. D.
Senior Member of the Internet
Los Alamos National Laboratory
Key fingerprint: 2BB7 A990 44F5 EF4B 4E35  8635 1205 97D3 F6D8 7F39
E-mail: cpw at ...440..., cornett at ...1649...
Phone: 505 667-2598
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081202/0b5fc797/attachment.sig>

More information about the Snort-users mailing list