[Snort-users] A few questions regarding Solaris

Mike Lococo mikelococo at ...11827...
Tue Aug 31 14:53:19 EDT 2010

> Thanks for your information regarding the SO_RULES about the source
> compiled, this means I will have to switch platforms completely.  I'm
> thinking about CENTOS or Ubuntu, however it looks like Snort is not
> compatible with the latest Ubuntu release? (Talking about SO_RULES) and
> since they are in the midst of changing supported platforms I will most
> likely rebuild my HP system. Does that make the most sense? I'm not
> going to do anything with my current build until I form a plan of
> rebuilding a new OS. More fun, which I really don't have time to do but
> I do want to take advantage of the SO_RULES.

I don't have strong feelings about platform.  I've always run on RedHat,
which works for me.  Lots of folks I respect use FreeBSD.  I think
pretty much any platform with pre-compiled SO_RULES is a first-class
citizen with respect to running Snort.

> CPU usage is nil, watching it now under 1% . . . memory is at 3%.  I
> will look into turning on the performance monitor preprocessor, can I
> run this in daemon mode, if so how do I check the stats, can I log them
> to a file? Thank you very much for your help, I really do appreciate it!

Read the fine manual, there's a section on the perfmon preprocessor.  It
writes output to a file of your choosing in comma delimited format.  I
use Zabbix to collect and graph the columns I'm interested in because I
already have it available for other system monitoring purposes and it
works well.  There are lots of other visualization tools, both
snort/perfmon focused and generic unix graphic frameworks.  For initial
troubleshooting, you can also learn quite a lot just by tailing the csv
file, although that gets tiresome eventually.

> CPU - 2x dual core 2.3MHz chips
> Processor Cache: 4096KB
> The NICs is HP branded without own CPU, it has 4 gig NIC ports on each
> card. I'm only using one of these ports, as I originally planned to
> monitor more than one VLAN.
> I'm going to turn off the IRQs in the BIOS.
> I don't have too many rules turned on and not even using the SO_RULES,
> but I agree that it might be the shear amount of traffic going over the
> wire.

You haven't said how much traffic you actually have.  As a random
data-point, with stock intel ethernet cards I see a few percent loss at
50mbits (not megaBytes, megabits) on a 16 core system with 32gig of ram.
 With an Endace capture card, I push 1.4gigabits through a slightly
smaller box with virtually no loss.  I'm not sure how far folks are able
to scale snort on commodity ethernet cards before they start losing
packets, but I'd be surprised if it was much beyond 200 megabits per

If you want to minimize this kind of low-level tuning, consider ponying
up for a SourceFire box where this kind of work is done out of the gate.

Good Luck,
Mike Lococo

More information about the Snort-users mailing list