[Snort-users] 'ignore_call_channel' setting seems to have no effect

Hui Cao hcao at ...1935...
Fri Jul 26 10:43:43 EDT 2013

Based on configuration, snort might not track UDP sessions if ports
are not monitored. RTP sessions are on UDP, so snort might just do
very minimum processing on those packets (might be ignored because of

Ignore call channel will improve performance when RTP sessions are
being monitored. If they are not monitored, ignore call channel might
hurt performance because snort needs to track those UDP sessions.

Ideally, ignore call channel works better when hardware/daq supports
whitelisting. In this case, traffic will be ignored before it
delivered to snort.


On Thu, Jul 25, 2013 at 7:53 PM, Emre Gundogan <emre at ...16456...> wrote:
> Hi. I am running Snort (V2.9.4.6) on a firewall + IP-PBX. Is it normal that, on a typically idle machine, Snort takes up roughly 7-10% of CPU for each concurrent media session?  The SIP preprocessor is enabled and 'ignore_call_channel' is set in the configuration. With this setting, I expected snort to ignore RTP traffic in a SIP session. But based on my limited experience so far, that's not happening, as the CPU stays constant around 10% (all used by snort process) for the entire session. Add a second call, and the CPU goes to 20% (snort process). Am I doing something wrong here? Thanks a lot.
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list