[Snort-users] A few questions regarding Solaris

waldo kitty wkitty42 at ...14940...
Mon Aug 30 12:35:27 EDT 2010


On 8/30/2010 07:54, Robert Riskin wrote:
> Also i'm running it on a heavily trafficed VLAN, lots of server and workstation
> traffic, to/from Internet, etc.  I know that some alerts are being missed.  I
> have tuned out a lot of the snort rulesets and use emerging markets and most of
> the malware rulesets.  I still find myself missing alerts, for example i'll try
> and hit one of the RBN sites and sometimes Snort will trigger and alert and
> sometimes it won't.  Is there anything I can do to make sure it captures
> everything without missing anything.  My box has 10GB of Ram and 500GB 10k
> harddrives.  So i'm not sure where the bottleneck is.

ok, so you've told us your RAM size and HDs but what about other important factors?

what CPU chip are you using?
what speed is that CPU chip?
what NIC(s) are you using?
are they server grade with their own CPU on them?

you may be dealing with IRQ latency... are all not needed items turned OFF in 
BIOS so that those IRQs are free? are the NIC(s) on their own not-shared IRQs? 
are the NIC(s) on lower numbered IRQs?

if your box doesn't need serial or parallel ports, disable them in the BIOS and 
that should open IRQs 3, 4 and 7 (at least)...

it is also quite possible that your snort is just too busy and is simply not 
able to keep up with the traffic streaming over your NIC(s)... especially if you 
have a lot of rules enabled and even moreso if a lot of those rules are not as 
optimized as they could be...

some of the preprocessors have settings where you can limit the amount of items 
them hold for analysis and you can also set the amount of memory they may use... 
it could be that your system is spending more time looking thru memory at 
everything than in processing it and thus some of it slips by...

we need more information and details to really get any closer to the problem...




More information about the Snort-users mailing list