[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ

Michael Altizer maltizer at ...1935...
Wed Oct 20 15:14:14 EDT 2010


  On 10/20/2010 02:59 PM, Rich Graves wrote:
> On Wed, Oct 20, 2010 at 1:12 PM, Jeff Kell wrote:
>
>
>     I had rebuilt snort 2.8.6 with libpcap 1.1.1 and  had some worse
>     performance than before, but then there was a discussion on one of
>     the snort lists regarding sids 4676 and 4677 in the oracle-rules
>     being a pcre "hog".
>
>     Disabling those two sids dropped my average CPU over half...
>
>
> Wow. Mine dropped over 2/3.
>
> sid 4676 is limited to POSTs, so if you have a requirement to detect 
> ancient oracle attacks, keep that one and drop just 4677.
>
> The problem of the maximum 49MB buffer on RHEL5 64-bit remains (does 
> not affect Ubuntu 64-bit or RHEL5 32-bit; I'd expect it to effect 
> CentOS and other rebuilds as well), but since I'm no longer regularly 
> filling the buffer, my 2.9.0 installation is now stable enough that I 
> can start looking at the new rule options, and hope the buffer issue 
> gets addressed in 2.9.1.
>
I've replicated the issue on a 64-bit CentOS 5.5 VM.  It's going to take 
some investigation from the kernel side of af_packet to figure out the 
issue since it appears to be limited to 64-bit CentOS/RHEL as you 
indicated.  Unfortunately, they really don't make building a custom 
kernel with their source easy, but I'm getting there...

-Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101020/f8d23e37/attachment.html>


More information about the Snort-users mailing list