[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ

Rich Graves rcgraves at ...11827...
Wed Oct 20 14:59:21 EDT 2010


On Wed, Oct 20, 2010 at 1:12 PM, Jeff Kell wrote:

>
> I had rebuilt snort 2.8.6 with libpcap 1.1.1 and  had some worse
> performance than before, but then there was a discussion on one of the snort
> lists regarding sids 4676 and 4677 in the oracle-rules being a pcre "hog".
>
> Disabling those two sids dropped my average CPU over half...
>

Wow. Mine dropped over 2/3.

sid 4676 is limited to POSTs, so if you have a requirement to detect ancient
oracle attacks, keep that one and drop just 4677.

The problem of the maximum 49MB buffer on RHEL5 64-bit remains (does not
affect Ubuntu 64-bit or RHEL5 32-bit; I'd expect it to effect CentOS and
other rebuilds as well), but since I'm no longer regularly filling the
buffer, my 2.9.0 installation is now stable enough that I can start looking
at the new rule options, and hope the buffer issue gets addressed in 2.9.1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101020/eeb988aa/attachment.html>


More information about the Snort-users mailing list