Snort mailing list archives
RE: Snort Performance on a 'older' box
From: "Michael Devlin" <Michael.Devlin () gdnnet com>
Date: Thu, 2 Dec 2004 08:44:30 -0000
I'm logging (on the box in question) to a local install of MySQL, aswell as a binary file and using Acid to view alerts (again Apache is local to the box).... Figuring that as there are mutliple local apps involved, they (collectively) will benefit from the multiple CPU's. I've also monitored the load being generated by Apache and MySQL and it's minimal (as mentioned in the first email, alerts are showing up quite infrequently.... Perhaps a couple per min at max.... But usually only 1 or 2 every 10-15mins (the sensor is a good couple of layers into a secured network)) I've considered implementing Barnyard and/or logging to a remote box... But with so few alerts I'm struggling to see if this would solve the problem at hand. Thanks for the reply btw... Michael -----Original Message----- From: Lance Boon [mailto:lboon () firststatebanksw com] Sent: 01 December 2004 15:13 To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort Performance on a 'older' box Snort is not multiprocessor aware, how and what are you logging to? Subject: [Snort-users] Snort Performance on a 'older' box I have access to a number of Compaq 1850's and a couple of decommissioned Dell's 1650's that I am converting into snort sensors. However the first one that I am putting into action is having a bit of trouble and I wouldn't mind your opinions on what the problem(s) could be. Setup.... Fedora Core 2 & Snort 2.2 Traffic througput is just less than 10Meg but it is ALL http traffic. The CPU's (Dual 700Mhz PIII's) on the box are running at a paltry 3%-7% constantly. There is half a Gig of memory (could be more, but there is still 20% free and the swap isn't being used) NIC 100 Meg in full duplex I would have expected the above to cope. However, before I trimmed a lot of the excess rules I noticed I was getting around 1% dropped traffic. After culling 'most' of the not needed rules (ie leaving only the HTTP rules) I am now getting zero dropped packets. First question. Monitoring a throughput of less than 10Meg, should I be seeing dropped packets (especially with so much available CPU) (Note: the NIC stats are not showing any dropped packets or errors) Next question.... I am getting peculiar results with the http preprocessor, for example, uricontent rules are being triggered on the HTTP headers (like Cookie) or in some cases the middle of the packets.... Also the URI max length of 300 is triggering on the middle of packets. It looks as if the http preprocessor is working on incorrectly assembled streams? Any thoughts on what could be the problem/solution. Are both of these indicative (as I am assuming) of an underpowered box? If so, where is the bottleneck likely to be (the number of alerts btw is low so disk speed shouldn't be playing to much of a role here.) Your thoughts are much appreciated. Michael Devlin ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Performance on a 'older' box Michael Devlin (Dec 01)
- <Possible follow-ups>
- RE: Snort Performance on a 'older' box Lance Boon (Dec 01)
- RE: Snort Performance on a 'older' box Michael Devlin (Dec 02)
- RE: Snort Performance on a 'older' box Michael Devlin (Dec 02)