[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ
maltizer at ...1935...
Wed Oct 20 15:14:14 EDT 2010
On 10/20/2010 02:59 PM, Rich Graves wrote:
> On Wed, Oct 20, 2010 at 1:12 PM, Jeff Kell wrote:
> I had rebuilt snort 2.8.6 with libpcap 1.1.1 and had some worse
> performance than before, but then there was a discussion on one of
> the snort lists regarding sids 4676 and 4677 in the oracle-rules
> being a pcre "hog".
> Disabling those two sids dropped my average CPU over half...
> Wow. Mine dropped over 2/3.
> sid 4676 is limited to POSTs, so if you have a requirement to detect
> ancient oracle attacks, keep that one and drop just 4677.
> The problem of the maximum 49MB buffer on RHEL5 64-bit remains (does
> not affect Ubuntu 64-bit or RHEL5 32-bit; I'd expect it to effect
> CentOS and other rebuilds as well), but since I'm no longer regularly
> filling the buffer, my 2.9.0 installation is now stable enough that I
> can start looking at the new rule options, and hope the buffer issue
> gets addressed in 2.9.1.
I've replicated the issue on a 64-bit CentOS 5.5 VM. It's going to take
some investigation from the kernel side of af_packet to figure out the
issue since it appears to be limited to 64-bit CentOS/RHEL as you
indicated. Unfortunately, they really don't make building a custom
kernel with their source easy, but I'm getting there...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users