Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Improving Snort Performance?

From: Mark Vevers <mark () ifl net>
Date: Thu, 14 Mar 2002 21:32:34 +0000
Ok, I've tuned my kernel. Installed Phil Wood's MMAP'd libpcap (Hi Phil) so that I don't lose packets with bursty traffic. Tuned my ruleset, What other tricks are there for improving snort performance?
I can't remember who it was, but someone suggested the [ip/mask,ip/mask,ip/mask] notation for $HOME_NET was causing problems and it was quicker to list them and a set of rules for each one - anyone else tried this on a live sensor? - I'll try it tomorrow to see if it makes much difference - does anyone have any more ideas?
What experience have people had with barnyard yet? Does it really make that much difference in IDS mode since we're hopefully only alerting relatively infrequently in comparison with the number of packets being seen by the sensor. 

What's the score on the AC_BM pattern match stuff?

Do we need an FAQ section for performance (Marty???)

Mark

--
Mark Vevers.    mark () ifl net / mvevers () rm com
Internet Backbone Engineering Team
Internet for Learning, Research Machines Plc



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: