Snort mailing list archives
Re: Stream4 and other stuff
From: Victor Barahona <victor.barahona () uam es>
Date: Mon, 2 Jul 2001 12:41:06 +0200
My suggestion would be to start disabling various Snort plugins and rules files to see where the performance hit is coming from and to report from there once you have. I'm very interested in this data as well, since I don't have a highly utilized network to test on it's really difficult to test the performance of the system lately. One thing that I have found puzzling lately is that it almost appears as if the performance of the pattern matcher has gone *down*, which isn't at all right.
Maybe this helps you. I'm running snort (1.8beta6 build26) and analizing a line with 15-20 Mb/s, hardware is a PIII 256Mb with linux and running mysql and acid, oficial rules from snort. Fist time I run snort the CPU go to 95% but after some probes I notice that when I comented the http rules the cpu came to 35%-40. After some probes more, I notice that when in the configuracion file was: var HTTP_SERVERS [xxx.yyy.9.8,xxx.yyy.9.237,xxx.yyy.30.2] The analice was CPU intensive 95% but when I chage to this: var HTTP_SERVERS [xxx.yyy.0.0/16] The CPU back to 40% Regards -- "Alone? you are not alone, Bigbrother is watching you" ------------------------------------------------------------------------ Victor Barahona Cabezon http://rincon.uam.es/dir?cw=870938110351562 PGP ID-0x8750AB79 Soporte Seguridad en red........................http://www.utc.uam.es/ss ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Stream4 and other stuff Martin Roesch (Jul 01)
- <Possible follow-ups>
- Re: Stream4 and other stuff Victor Barahona (Jul 02)