[Snort-users] Snort CPU usage

Josh Bitto jbitto at ...16055...
Tue Feb 19 11:54:40 EST 2013


 the main question is the size of your internet pipe...

The size is 50 down 10 up….but those are just ISP numbers…Production would be lower at peak times.

> Each would have an interface to monitor, but where I’m stuck is the
> rule sets…

in what way? i have a site with a lowly 800mhz PIII with 4 LANs (not VLANs!) that runs well over half of the rules i have available... those rules are from two rules providers... that machine has 768M of RAM and is a single core system... but the pipe for that site is a lowly 3Meg DSL line... there are times that some packets are flushed and lost but that's due to the quantity of traffic in the pipe... so, not only is the size of the pipe necessary but also the speed and cores of your hardware...


I probably should go into more detail…..We use Pfsense as our firewall and in that entity you can “install” snort as a package.  That being said when you manage each interface you want snort to run on there is a file created in the snort folder for each interface named and in those folders are a set up rules preprocessors and sigs……But! In the main snort folder there is also a set of rules preprosessors and sigs. So my question really is for each interface and having its own folders for rules and such would all those be considered or just “one” set of rules for all interfaces to go through?
> I read online where a great determining calculation is this…
>
> 1 CPU = (1000 signatures ) * (500 megabits network traffic)

i don't know that i can agree with this... see above ;)
Idk….I got it from the internets so it must be right O.O

> So my question would be….if each interface has its own rule set aside
> from the main download of rules. Does that factor in?

why would you do that? i mean, i guess there is some traffic on one interface that you don't care to alert on but... hummm... ;)
I think my above explanation answers this.


------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130219/4cbe40e9/attachment.html>


More information about the Snort-users mailing list