Snort mailing list archives
RE: Can I 'nice' snort process?
From: Saad Kadhi <bsdguy () docisland org>
Date: 10 Jan 2002 22:08:49 +0100
On Thu, 2002-01-10 at 20:19, Tom Sevy wrote:
Can you refer me to any guidelines for tuning the Freebsd kernel in ways that would help Snort's performance?
well first thing you should really consider is tune the snort configuration itself. tweak logging since file i/o cost some cpu. then enable softupdates on your partitions.it'll speed up some file system operations a lot. though softupdates is pretty stable, I'd advise you to backup the box first thing before enabling it. Next, consider stripping down the kernel to the minimum. The smaller the kernel is, the faster is your box. Then get a look at: http://www.daemonnews.org/200108/benchmark.html http://www.freebsd.org/handbook/ if you are running short of mbufs, rise NMBCLUSTERS & the like (for the VM). For a VERY GOOD description of all the tweaking/tuning options a FreeBSD kernel has & given you have a copy of the source tree, look @: /usr/src/sys/i386/conf/LINT. each option is explained there. As to what pertains to snort itself, ask Marty&crew what snort needs to run faster. it is beyond my knowledge (though I suspect fs i/o, fds, ...etc. the usual suspects!). HTH
-----Original Message----- From: Saad Kadhi [mailto:bsdguy () docisland org] Sent: Thursday, January 10, 2002 1:58 PM To: Tran, John Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Can I 'nice' snort process? On Thu, 2002-01-10 at 19:03, Tran, John wrote:I'm running snort on one of my web servers as a local IDS (don't ask mewhy,let's just go along w/ it for now..) and it takes up massive amounts ofCPU(40%), which can be expected considering it's a large amount of traffic.Itwas suggested to me to run 'nice' on the process to throttle it's CPUusage,but I'm pretty sure throttling snort will cause it to drop a lot ofpackets.Is this true?yep at least to my field knowledge. But instead of nice-ing, you could log less stuff, tune up your kernel, etc... regards. -- /Saad -- [bsdguy () docisland org] [pgp keyid: 35592A6D http://pgp.mit.edu] # buy a geek-in-a-can, point nozzle at technical problem and spray # if desesperate degauss your screen. it might solve your pb as well _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- /Saad -- [bsdguy () docisland org] [pgp keyid: 35592A6D http://pgp.mit.edu] # buy a geek-in-a-can, point nozzle at technical problem and spray # if desesperate degauss your screen. it might solve your pb as well _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can I 'nice' snort process? Tran, John (Jan 10)
- Re: Can I 'nice' snort process? Saad Kadhi (Jan 10)
- Re: Can I 'nice' snort process? D.Rajesh Kumar (Jan 10)
- Re: Can I 'nice' snort process? Kris Kennaway (Jan 10)
- Re: Can I 'nice' snort process? Frank (Jan 10)
- <Possible follow-ups>
- RE: Can I 'nice' snort process? Saad Kadhi (Jan 10)
- Re: Can I 'nice' snort process? Saad Kadhi (Jan 10)