Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Performance questions

From: Fernando Miguelez Palomo <jtbmipaf () bipt106 bi ehu es>
Date: Tue, 22 Jan 2002 09:45:40 +0100 (CET)

You could try using FreeBSD instead of Linux since its packet capture 
device (BPF) is better. It delivers to libpcap several packets every 
system call instead of just one like Linux (this was true at least in 
older versions of libpcap). This saves system calls, which leads to a 
performance improvement.

On the other hand, try disabling all the preprocessors you don't need. 
Snort can't analize another packet until it has ended preprocessing and 
analizing the previous one (and logging the alert if the packet has 
triggered any rule). 

How many alerts are you getting? The more alerts you get the more likely 
are you going to drop packets, try tuning rules to obtain as few false 
alerts as possible. Which scheme of alerting do you use? More verbose 
alerts produce more disk activity (more delay until next packet analisis).

Regards,
Fernando.    



--__--__--

Message: 2
From: Lucas de Carvalho Ferreira - BMS <lucas.ferreira () bms com br>
To: 'Saad Kadhi' <bsdguy () docisland org>
Cc: "'snort-users () lists sourceforge net'"
       <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Performance questions
Date: Mon, 21 Jan 2002 11:14:43 -0300

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1A285.F8E8A1F0
Content-Type: text/plain;
      charset="iso-8859-1"

Hello,

I running a 2.4.9 Linux kernel compiled by Red Hat. I installed Red Hat with
a minimum install, with just about telnetd and syslog running. No X11
either. My NIC is a 3COM 3c905b.

Regards,
Lucas


-----Original Message-----
From: Saad Kadhi [mailto:bsdguy () docisland org]
Sent: Friday, January 18, 2002 8:14 PM
To: Lucas de Carvalho Ferreira - BMS
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Performance questions


On Fri, 2002-01-18 at 23:12, Lucas de Carvalho Ferreira - BMS wrote:

Hello,

I am trying to monitor a high traffic 100Mbs switch port 

with snort on a 433

MHz Celeron machine running Red Hat 7.2 but snort is 

dropping about 10% of

the packets, even if the CPU load is at an average of 70% 

(seen with top).

Is there any configuration tips for snort or for the Linux 

kernel to get

better performance? Could it be an I/O performance problem? 

What kernel are you running ? how your RH is installed ? is 
it a minimal
install ? what type of network cards to you have ?
-- 
/Saad --  [bsdguy () docisland org] 
[pgp keyid: 35592A6D http://pgp.mit.edu]
# buy a geek-in-a-can, point nozzle at technical problem and spray
# if desesperate degauss your screen. it might solve your pb as well



------_=_NextPart_001_01C1A285.F8E8A1F0
Content-Type: text/html;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] Performance questions</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Hello,</FONT>
</P>

<P><FONT SIZE=3D2>I running a 2.4.9 Linux kernel compiled by Red Hat. I =
installed Red Hat with a minimum install, with just about telnetd and =
syslog running. No X11 either. My NIC is a 3COM 3c905b.</FONT></P>

<P><FONT SIZE=3D2>Regards,</FONT>
<BR><FONT SIZE=3D2>Lucas</FONT>
</P>

<P><FONT SIZE=3D2>&gt; -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>&gt; From: Saad Kadhi [<A =
HREF=3D"mailto:bsdguy () docisland org">mailto:bsdguy () docisland org</A>]</F=
ONT>
<BR><FONT SIZE=3D2>&gt; Sent: Friday, January 18, 2002 8:14 PM</FONT>
<BR><FONT SIZE=3D2>&gt; To: Lucas de Carvalho Ferreira - BMS</FONT>
<BR><FONT SIZE=3D2>&gt; Cc: 'snort-users () lists sourceforge net'</FONT>
<BR><FONT SIZE=3D2>&gt; Subject: Re: [Snort-users] Performance =
questions</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; On Fri, 2002-01-18 at 23:12, Lucas de Carvalho =
Ferreira - BMS wrote:</FONT>
<BR><FONT SIZE=3D2>&gt; &gt; Hello,</FONT>
<BR><FONT SIZE=3D2>&gt; &gt; </FONT>
<BR><FONT SIZE=3D2>&gt; &gt; I am trying to monitor a high traffic =
100Mbs switch port </FONT>
<BR><FONT SIZE=3D2>&gt; with snort on a 433</FONT>
<BR><FONT SIZE=3D2>&gt; &gt; MHz Celeron machine running Red Hat 7.2 =
but snort is </FONT>
<BR><FONT SIZE=3D2>&gt; dropping about 10% of</FONT>
<BR><FONT SIZE=3D2>&gt; &gt; the packets, even if the CPU load is at an =
average of 70% </FONT>
<BR><FONT SIZE=3D2>&gt; (seen with top).</FONT>
<BR><FONT SIZE=3D2>&gt; &gt; Is there any configuration tips for snort =
or for the Linux </FONT>
<BR><FONT SIZE=3D2>&gt; kernel to get</FONT>
<BR><FONT SIZE=3D2>&gt; &gt; better performance? Could it be an I/O =
performance problem? </FONT>
<BR><FONT SIZE=3D2>&gt; What kernel are you running ? how your RH is =
installed ? is </FONT>
<BR><FONT SIZE=3D2>&gt; it a minimal</FONT>
<BR><FONT SIZE=3D2>&gt; install ? what type of network cards to you =
have ?</FONT>
<BR><FONT SIZE=3D2>&gt; -- </FONT>
<BR><FONT SIZE=3D2>&gt; /Saad --&nbsp; [bsdguy () docisland org] </FONT>
<BR><FONT SIZE=3D2>&gt; [pgp keyid: 35592A6D <A =
HREF=3D"http://pgp.mit.edu"; =
TARGET=3D"_blank">http://pgp.mit.edu</A>]</FONT>
<BR><FONT SIZE=3D2>&gt; # buy a geek-in-a-can, point nozzle at =
technical problem and spray</FONT>
<BR><FONT SIZE=3D2>&gt; # if desesperate degauss your screen. it might =
solve your pb as well</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C1A285.F8E8A1F0--





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: