Snort mailing list archives
RE: Snort getting overloaded by http traffic:
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Tue, 25 Jun 2002 13:35:10 -0400
The amount of traffic that Snort is able to inspect has less to do with Snort and almost everything to do with the underlying operating system, IP stack, and (most importantly) available resources. If the operating system is short of resources (specifically RAM), then packets are going to be dropped by the kernel due to lack of buffer space and general congestion. As such, they will never be presented to Snort for inspection. That said, Snort can adversely (but indirectly) affect performance, as something like full logging uses up processor time and valuable memory, taking away from resources that could otherwise be used by pcap to capture and process traffic moving up the stack. So in this sense, Snort has an effect, albeit a small one. Anyway, the best place to start would be to do some basic benchmarking, and monitor your system's resources. As I mentioned, insufficient RAM is the likely suspect, so keep a particularly close eye on your memory stats. Also, when posting in the future, you can help us to help you by always providing information about the operating system, processor speed, memory, Snort version, etc. Many times, someone has been in the same boat, and can offer up some pretty sound, specific advice. Cheers Keith -----Original Message----- From: Ashley Thomas [mailto:athomas () cc gatech edu] Sent: Tuesday, June 25, 2002 1:06 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort getting overloaded by http traffic: Does anyone have an idea how many http traffic can snort handle ? I see that when there are around 2000 http packets/sec snort starts dropping. Is this unusual ? Any tuning that i can use ? I am already using the -A fast -b. Maybe i can cut short the number of Web rules. By default there are 400+ web* rules. thanks ashley ------------------------------------------------------------------------ What I do today is important because I am paying a day of my life for it. ------------------------------------------------------------------------ ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort getting overloaded by http traffic: Ashley Thomas (Jun 25)
- <Possible follow-ups>
- RE: Snort getting overloaded by http traffic: McCammon, Keith (Jun 25)
- Re: Snort getting overloaded by http traffic: hackerwacker (Jun 25)
- Re: Snort getting overloaded by http traffic: Jason Haar (Jun 25)
- Re: Snort getting overloaded by http traffic: Imran William Smith (Jun 25)
- RE: Snort getting overloaded by http traffic: Ashley Thomas (Jun 25)
- RE: Snort getting overloaded by http traffic: Matt Kettler (Jun 25)
- RE: Snort getting overloaded by http traffic: larosa, vjay (Jun 26)