Snort mailing list archives
Re: Snort dropping packets
From: Erek Adams <erek () snort org>
Date: Mon, 2 Feb 2004 17:58:10 -0500 (EST)
On Mon, 2 Feb 2004, KS wrote:
I have a Dual processor Dell poweredge 1600SC box having intel Xeon 2Ghz processors and 128 Meg Ram and it is running snort win32 version. I can see a lot of alerts on acid console and cpu utlization of the box remains within 5 %.
Please add some memory to that box, else you're in for a world of pain. Snort 2.x is quite a bit more memory hungry that the 1.x line. So much for the LIDS model, eh? :)
I have snort running in service mode with following comand line through IDS centre. c:\Snort\bin\snort.exe -c "c:\Snort\etc\snort.conf" -l "c:\Snort\log" -i 1 Quite interestingly When i run snort in VERBOSE mode using snort -v -i1 on the command prompt, i can see snort logging packets and when i stop it, it shows dropped packets and cpu utlization of the box, when i run snort in verbose mode, goes to 45- 50%
Normal and expected.
Is it possible that snort is dropping packets only in verbose mode and not otherwise ?
Yep.
Appreciate any help on this. Below are few lines taken from snort website : " If Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display. "
If you're going to use Snort in an IDS mode, you _don't_ need -v or -d on the command line. Log all packets to binary (-b) or unified (snort.conf change) so that you get all the data. Cheers! ----- Erek Adams "It looks just like a Telefunken U-47. You'll love it..." -- Frank Zappa ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort dropping packets KS (Feb 02)
- Re: Snort dropping packets Matt Kettler (Feb 02)
- Re: Snort dropping packets Erek Adams (Feb 02)