[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ
rcgraves at ...11827...
Wed Oct 20 12:44:36 EDT 2010
I can reproduce this too, on a RHEL5 x86_64 system with 4GB RAM. I've tried kernels 2.6.18-194.17.1.el5 and 2.6.18-194.11.1.el5, so it's not the fault of any of the recent updates.
The sum total is 49MB. I can't even run snort -T if snort -c is running.
So far, performance doesn't look good.
For several months, I was running Snort 2.8.6 linked with Phil Woods' MMAP patches to libpcap 0.98 configured with 300MB buffer: <0.1% to 5% packet drops (drops have jumped in the last 10 days without significant increase in byte or packet count; I haven't had the time to figure out the rules responsible)
Snort 2.9.0 linked with libpcap 1.1.1, default pcap acquisition: 30% packet drops
Snort 2.9.0 linked with libpcap 1.1.1, afpacket acquisiton with 49MB buffer: 9% packet drops
This might not be an apples-to-apple comparison for various reasons, including recent RedHat kernel updates, the jump in drops that started before upgrading, and possible reporting variance (i.e., 2.8.6 and 2.9 might be counting different things). But when I revert from 2.9.0 to 2.8.6 I seem to get both fewer drops and more alerts.
More information about the Snort-users