[Snort-users] Performance and rule tuning

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Dec 2 14:39:34 EST 2008


Thanks for your help everyone, I think I have this working.

The log was daemon.log not messages, and it wasn't using PCAP_FRAMES.  I did the following:

Apt-get remove libpcap0.8
Rebuilt snort
Used "export PCAP_FRAMES=32768" (I was confused as to use export or not... export seems to be required.)

Now it says "Using PCAP_FRAMES=32768" in daemon.log.

Now I'll do this on my main snort sensor and see if there is any performance improvement.



-----Original Message-----
From: Nathaniel Richmond [mailto:nate+snort at ...14258...]
Sent: December 02, 2008 10:30 AM
To: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Performance and rule tuning

Replies inline.

Nate

Jefferson, Shawn wrote:
> Hi,
>
> I have a couple of questions about performance and rule tuning.
>
> Performance:
>
> I'm seeing quite a bit of dropped packets on one of my sensors.
> Traffic is about 30-60 Mb/s.  From the reading I've done, it seems
> like the first thing is to make sure your variables are set in
> snort.conf, and probably the next is to move to mmaped pcap.  I've
> attempted to do both of these, however, I was wondering if snort is
> actually using the mmapped pcap or not. Is there any way to tell?
>
> I did the following:
> - apt-get remove libpcap-dev

Maybe you also need to remove the libpcap package.

> - built the mmapped pcap
> - rebuilt snort
> - put PCAP_FRAMES=32768 in my script file that starts snort

You should then get "Using PCAP_FRAMES=32768" in /var/log/messages
when you start Snort. The normal message without Phil Wood's libpcap
is "Not Using PCAP_FRAMES".

Phil Wood also has an example in the README on his site showing how
to test PCAP_FRAMES after building tcpdump with his libpcap.
http://public.lanl.gov/cpw/pcapREADME.html

>
> There aren't many "how-to" articles out there for doing this, and I
> hope I did everything right.
>
> Rule Tuning:
>
> Is the optimal way of tuning out false positives using suppress
> rules in threshold.conf ?  I am using oinkmaster to download new
> rules each day, so I'm assuming that commenting out rules won't
> work.

Use disablesid or enablesid in oinkmaster.conf to either comment out
rules that are enabled by default or enable rules that are commented
by default. If you want to disable a rule without running oinkmaster
again then you can manually comment the rule. You should still add
the disablesid line in your oinkmaster.conf or it will get
re-enabled the next time you run Oinkmaster.

>
> Thanks!
> Shawn
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list