[Snort-users] "Making Snort go fast under Linux..."

Chan, Wilson wchan at ...14702...
Wed Feb 24 18:04:02 EST 2010

Just applied one of the speed tweaks on how searches are performed (search-method ac vs default) and I immediately noticed ram usage went up from 0.4% to 2.2% (Total ram is 12G). However, I noticed my dropped packets are now over 3% where as the default search-method was less than 1%. I also noticed its complaining about S5: Session exceeded configured max segs. How do I bump the the ram usage for S5? Thanks!

##Enable (ac-bnfa: low memory, high performance OR ac: high memory, best performance)
config detection: search-method ac

[root at ...14788... snort]# service snortd stats

S5: Session exceeded configured max segs to queue 2621 using 2621 segs (server queue). 
(0) : LWstate 0x48 LWFlags 0x6107
 *** Caught Usr-Signal
 Packet Wire Totals:
    Received:      6926559
    Analyzed:     13354515 (192.802%)
     Dropped:       249296 (3.599%)
 Outstanding: 18446744073702874364 (266319020363543.781%)


-----Original Message-----
From: Edward Bjarte Fjellskål [mailto:edward.fjellskal at ...14590...] 
Sent: Wednesday, February 24, 2010 4:03 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] "Making Snort go fast under Linux..."

Hi list,

During the years, I have tried to gather some notes
on what can help "Snort go faster".

I summed it up in a blog post:

If anyone here has any comments/improvements/tips etc,
I would be happy to hear about them, and include them
in my post for future reference.


Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list