Snort mailing list archives
RE: FW: Two questions...
From: "Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov>
Date: Thu, 25 Oct 2001 17:10:28 -0400
Just an FYI, I hooked up another box today with exactly the same specs as the original snort box but I used FreeBSD. Initially I was happy because it was running at about 15% CPU utilization, then by 5pm, it was up to 80-90% again. Now I don't know anything about FreeBSD, I was happy enough I got it installed so I really didn't do any tweaking. But I just wanted to report my experience. Any ideas for a next step to lower these rates? Possibly a cvs version of snort? I'm not particularly attached to any OS, I can adapt. -----Original Message----- From: Bob Walder [mailto:bwalder () nss co uk] Sent: Thursday, October 25, 2001 9:57 AM To: wayne () cybergnostic com; Grimes, Shawn (NIA/IRP); snort-users () lists sourceforge net Subject: RE: [Snort-users] FW: Two questions... Like I said - I am not Linux bashing - it is an excellent OS and I do not intend to be drawn into any further religious arguments. What I am saying - and probably a bit harshly initially, I admit, but I was trying to rattle off a reply whilst extremely busy - is that OS choice should be strictly "horses for courses" not "my OS is better than your OS". In our TESTING, we have proved FreeBSD 4.3 to be a more stable and better performing platform for Snort 1.8.1 than Red Hat Linux 7.1. That's all. Beyond that, YMMV Regards, Bob -----Original Message----- From: Wayne Work [mailto:wwork () cybergnostic com] Sent: 25 October 2001 14:08 To: Bob Walder; 'Grimes Shawn (NIA/IRP)'; snort-users () lists sourceforge net Subject: RE: [Snort-users] FW: Two questions... I am not sure I would BASH Linux so quick. BSD as well as it's moments but ask IBM (ya, the Big BLUE) about why they are advertising and placing LINUX on servers, appliances and AS/400 machine. Geee!!! Go figure??? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bob Walder Sent: Thursday, October 25, 2001 8:08 AM To: 'Grimes, Shawn (NIA/IRP)'; snort-users () lists sourceforge net Subject: RE: [Snort-users] FW: Two questions... Actually, perhaps I should quickly modify my earlier caustic comments re Linux and IDS to say that Linux sucks OUT OF THE BOX - there are things that can be done to improve performance (the right drivers and some parameter tweaks for example), but I still prefer BSD for running Snort. Regards, Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Grimes, Shawn (NIA/IRP) Sent: 25 October 2001 04:03 To: 'snort-users () lists sourceforge net' Subject: [Snort-users] FW: Two questions... Alright I have two questions that I haven't been able to find answers for. Or at least answers that were satisfying. Sorry if these are being repeated but I didn't see anything in any of the forums or any of the recent messages to this group. First the details: Redhat linux 7.2 on a dual 1.3 GHz PIII w/ 1 Gig of RAM Snort Version 1.8.1-RELEASE (Build 74) dumping to a MySQL database using the latest stable release 1). Snort keeps logging two entries of each alert. There is definately only one instance of snort running, and there is only one interface that it's monitoring/active. Has anyone had similar problems? 2). I'm on a network with probably 1,000 nodes. The traffic ranges anywhere from 5Mbit/sec and I've seen as high as 20Mbit/sec. The CPU utilization of SNORT is up to 99% constantly. And I'm getting significant packet losses as you can imagine. Is this too high of a demand for SNORT? If not, what are some ways I can lower the CPU usage and increase the amount of packets SNORT can handle? Thanks for any suggestions. Thank You, Shawn Grimes NCTS Gerontology Research Center 410-558-8007 grimessh () grc nia nih gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FW: Two questions... Grimes, Shawn (NIA/IRP) (Oct 24)
- <Possible follow-ups>
- RE: FW: Two questions... Bob Walder (Oct 25)
- RE: FW: Two questions... Bob Walder (Oct 25)
- RE: FW: Two questions... Wayne Work (Oct 25)
- RE: FW: Two questions... Bob Walder (Oct 25)
- Re: FW: Two questions... J. C. Woods (Oct 25)
- RE: FW: Two questions... Bob Walder (Oct 25)
- RE: FW: Two questions... Grimes, Shawn (NIA/IRP) (Oct 25)
- Re: RE: FW: Two questions... Martin Roesch (Oct 25)