[Snort-users] Help tuning snort for performance.

Eoin Miller eoin.miller at ...14586...
Thu Feb 11 13:39:27 EST 2010


Looks like a ton of traffic and even your kernel can't keep up, let 
alone Snort. Do you specifically need to be monitoring internal to 
internal traffic instead of installing a tap just below your firewall? 
Also, look into using the BPF filter with Snort. Have you also looked 
into MMAP'd LibPcap or PF_RING to add a buffer? If you need to actually 
monitor all this traffic as you currently see it, you will probably need 
to look into some stream capable cards like those offered by 
Napatech/Endace and run multiple instances of Snort on the same box 
(number of processors x number of cores - 2).

-- Eoin

Andy Berryman wrote:
>
> Actually, it's not. The syn/sec and the syn-ack/sec were really close 
> to 1:1 before I started in on Frag3 tuning.
>
>  
>
> -bash-2.05b# tcpdump -i eth1
>
> 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P 
> 2141564463:2141564471(8) ack 1794773895 win 63861
>
> 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P 0:8(8) ack 
> 1 win 63861
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 
> win 63836
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 
> win 63836
>
> 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) 
> ack 50 win 65485
>
> 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) 
> ack 50 win 65485
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 
> win 63836
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 
> win 63836
>
> 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) 
> ack 4537 win 64316
>
> 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) 
> ack 4537 win 64316
>
> 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 
> 142:316(174) ack 87 win 63941
>
> 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 
> 142:316(174) ack 87 win 63941
>
> 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
>
> 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
>
> 30.10.25.3278: P 312:416(104) ack 293 win 64475
>
>  
>
> 187 packets captured
>
> 12341 packets received by filter
>
> 11942 packets dropped by kernel
>
>  
>
>  
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Thursday, February 11, 2010 11:16 AM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Help tuning snort for performance.
>
>  
>
> Is your sensor in front of a firewall (or similar)?    It looks like it:
>
>     Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
>
>     Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862
>
>  
>
> Joel
>
>  
>
>  
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> <mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>  
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>  
>
>  
>
>
>
>  
>
> ------------------------------------------------------------------------
> This message from Cymtec Systems, Inc. contains confidential 
> information and is solely for the use of the recipient(s) named above. 
> If you are not the intended recipient or an agent responsible for 
> delivering it to the intended recipient, you are hereby notified that 
> you have received this message in error and that any review, 
> disclosure, copying, distribution or use of the contents of this 
> message is strictly prohibited. If you have received this message in 
> error, please destroy it immediately and notify Cymtec Systems, Inc. 
> by telephone at +1.314.993.8700 or by return e-mail.
> ------------------------------------------------------------------------
>  
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list