Re: performance related question

[Chris Green <cmg () sourcefire com>]

"Zach Forsyth" <zach.forsyth () kiandra com> writes:

> Hi there,
>  
> Just wanted to ask what hardware most people are running on?  I have
> a Celeron 400, win2k, latest stable snort, ACID, mysql, etc. and
> seem to be dropping a lot of traffic.

First, try running in -A fast -b mode and then seeing what your packet
loss rates are. Is that a high alert rate?

> The snort box is connected to
> a 10mb hub and captures all traffic flowing past.  These are the
> statistics I get if I run snort under a command prompt and then
> ctrl-C it:
>  
> Snort analyzed 117056 out of 209072 packets, The kernel dropped
> 88722(42.436%) packets.
>  
> Does this mean I am dropping 42% of all packets? Or are these the
> packets that are meeting the rules and being processed by snort?

Packets dropped.

>  
> Also I wanted to ask whether people are using alert or log mode?
> I seem to have a lot more alerts captured into ACID with alert mode. 
>  
> I am about to change over to RH 7.3 but will have similar hardware. 

What OS do you have now?  What other things are eating cpu on the
machine?  What ethernet card do you have?

> Is a celeron400 capable of running on a fairly saturated 10mb link?

Theres a lot to that question :^)
-- 
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users