Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort dropping packets

From: Erek Adams <erek () snort org>
Date: Mon, 2 Feb 2004 17:58:10 -0500 (EST)
On Mon, 2 Feb 2004, KS wrote:


I have a Dual processor Dell poweredge 1600SC box having intel Xeon 2Ghz
processors and 128 Meg Ram and it is running snort win32 version.  I can
see a lot of alerts on acid console and cpu utlization of the box
remains within 5 %.


Please add some memory to that box, else you're in for a world of pain.
Snort 2.x is quite a bit more memory hungry that the 1.x line.  So much
for the LIDS model, eh?  :)


I have snort running in service mode  with following comand line through IDS
centre.

c:\Snort\bin\snort.exe -c "c:\Snort\etc\snort.conf" -l "c:\Snort\log" -i 1

Quite interestingly When i run snort in VERBOSE mode using   snort -v -i1 on
the command prompt, i can see snort logging packets and  when i stop it, it
shows dropped packets and cpu utlization of the box, when i run snort in
verbose mode, goes to 45- 50%


Normal and expected.


Is it possible that snort is dropping packets only in verbose mode and not
otherwise ?


Yep.


Appreciate any help on this.

Below are few lines taken from snort website :

" If Snort is going to be used in a long term way as an IDS, the -v switch
should be left off the command line for the sake of speed. The screen is a
slow place to write data to, and packets can be dropped while writing to the
display. "


If you're going to use Snort in an IDS mode, you _don't_ need -v or -d on
the command line.  Log all packets to binary (-b) or unified (snort.conf
change)  so that you get all the data.

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: