Snort mailing list archives

Re: Performance.

From: Vjay LaRosa <vjayl () emc com>
Date: Wed, 20 Mar 2002 12:45:03 -0500

Sorry,

The 4'th instance is just for testing currently. I am considering replacing the
Solaris host as the snort system with
two linux systems. (I would then use the Solaris box as the Mysql host/Demarc
console)

vjl





Phil Wood wrote:

On Wed, Mar 20, 2002 at 12:09:04PM -0500, Vjay LaRosa wrote:

O.Kay,

I know that everyone probably hates this question, but I need to ask it
any way. I am running four instances
of snort. The first three run on a Fujitsu Prime Power M400, the fourth
runs on a linux PC.

  2 On my Solaris host I have two 100MB cards that run close to 75% utilization

  each.
  Snort barely even drops a single packet ever from either of these cards.

  1 My third instance is reading off a Sun Gigabit

card. This interface only peaks periodically at 2% utilization, but I
drop hundreds of thousands of packets. I am using libpcap version 7.1,
snort 1.8.4 beta 4. The snort

Look at the interface stats.  On linux you can cat /proc/net/dev and see
if the card has any information.  I don't know what solaris provides.

process that is dropping all of the packets is only running at about 9%
CPU utilization. I have tried reducing signatures,
and removing output plugins, but nothing helps . Does anyone have any
suggestions for me to try? Thanks!


I only see 3 instances discussed.  what about the fourth.  What kind of
linux PC do you have?


vjl



--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Phil Wood, cpw () lanl gov


--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Performance. Vjay LaRosa (Mar 20)
- Message not available
  - Re: Performance. Vjay LaRosa (Mar 20)
    - LOGSNORTER Gerardo Gregory (Mar 22)
- analyse snort0305 () 1543 log Thorsten Weigl (Mar 21)
  - Re: analyse snort0305 () 1543 log Chris Green (Mar 21)
    - Re: analyse snort0305 () 1543 log Thorsten Weigl (Mar 21)
    - Re: analyse snort0305 () 1543 log Chris Green (Mar 21)