Re: Snort and high-traffic lines

[Jens Krabbenhoeft <tschenz-snort-users () noris net>]

Hi all,

>   *  Change your disk subsystem to high end SCSI.
SCA SCSI now.

>   *  More RAM
1GB now.

>   *  Faster CPU
>   *  More CPU's if your OS will support them well.
Dual P3-1000 now.

> You might want to have a look at this link[0] as well.  It's message from
> Marty discussing this very thing.

I had a look at that before, but I didn't think that those things
applied to me - and as I know have MIPS, RAM, I/O and see snort still
dropping about 25% at rates >=70Mbps this turns out to be true -
unfortunately :|.

Are there any other hints for me, to get tweak the OS/snort so that I
can cope with that amount of traffic? Has anybody tried to split up
snort to sniff the same interface (with the same homenet etc.) but with
the ruleset split into three parts - would/could that help?

BTW: I also tried the snort-ng patch that was submitted to snort-devel
some days ago. There seems to be a buffer-overrun or anything like this,
because snort-ng segfaults regularly.

Regards,

        Jens


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users