[Snort-users] A few questions regarding Solaris

Robert Riskin freshbones at ...11827...
Tue Aug 31 15:20:21 EDT 2010

Mike thank you very much for the info, i'm curious how you have Zabbix watch
your perfmon file with certain columns.  I use Zabbix in a separate
environment (and I love it) but am planning on deploying in production by

Yeah i'm going to rebuild the system with a supported SO_RULES platform.

I was thinking about going for a sourcefire box but I really enjoy building
and learning this stuff from the ground up, it's very informative and I gain
a greater insight into the network. However if I am experiencing massive
loss then I guess I have no choice but to go that route; i'd much rather do
this myself!

Thank you again for your insight and help!
On Tue, Aug 31, 2010 at 2:53 PM, Mike Lococo <mikelococo at ...11827...> wrote:

> > Thanks for your information regarding the SO_RULES about the source
> > compiled, this means I will have to switch platforms completely.  I'm
> > thinking about CENTOS or Ubuntu, however it looks like Snort is not
> > compatible with the latest Ubuntu release? (Talking about SO_RULES) and
> > since they are in the midst of changing supported platforms I will most
> > likely rebuild my HP system. Does that make the most sense? I'm not
> > going to do anything with my current build until I form a plan of
> > rebuilding a new OS. More fun, which I really don't have time to do but
> > I do want to take advantage of the SO_RULES.
> I don't have strong feelings about platform.  I've always run on RedHat,
> which works for me.  Lots of folks I respect use FreeBSD.  I think
> pretty much any platform with pre-compiled SO_RULES is a first-class
> citizen with respect to running Snort.
> > CPU usage is nil, watching it now under 1% . . . memory is at 3%.  I
> > will look into turning on the performance monitor preprocessor, can I
> > run this in daemon mode, if so how do I check the stats, can I log them
> > to a file? Thank you very much for your help, I really do appreciate it!
> Read the fine manual, there's a section on the perfmon preprocessor.  It
> writes output to a file of your choosing in comma delimited format.  I
> use Zabbix to collect and graph the columns I'm interested in because I
> already have it available for other system monitoring purposes and it
> works well.  There are lots of other visualization tools, both
> snort/perfmon focused and generic unix graphic frameworks.  For initial
> troubleshooting, you can also learn quite a lot just by tailing the csv
> file, although that gets tiresome eventually.
> > CPU - 2x dual core 2.3MHz chips
> > Processor Cache: 4096KB
> >
> > The NICs is HP branded without own CPU, it has 4 gig NIC ports on each
> > card. I'm only using one of these ports, as I originally planned to
> > monitor more than one VLAN.
> >
> > I'm going to turn off the IRQs in the BIOS.
> >
> > I don't have too many rules turned on and not even using the SO_RULES,
> > but I agree that it might be the shear amount of traffic going over the
> > wire.
> You haven't said how much traffic you actually have.  As a random
> data-point, with stock intel ethernet cards I see a few percent loss at
> 50mbits (not megaBytes, megabits) on a 16 core system with 32gig of ram.
>  With an Endace capture card, I push 1.4gigabits through a slightly
> smaller box with virtually no loss.  I'm not sure how far folks are able
> to scale snort on commodity ethernet cards before they start losing
> packets, but I'd be surprised if it was much beyond 200 megabits per
> snort-process/ethernet-port.
> If you want to minimize this kind of low-level tuning, consider ponying
> up for a SourceFire box where this kind of work is done out of the gate.
> Good Luck,
>  Mike Lococo
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100831/4194f99d/attachment.html>

More information about the Snort-users mailing list