Snort mailing list archives
Re: Performance and rule tuning
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 2 Dec 2008 12:39:34 -0700
Thanks for your help everyone, I think I have this working. The log was daemon.log not messages, and it wasn't using PCAP_FRAMES. I did the following: Apt-get remove libpcap0.8 Rebuilt snort Used "export PCAP_FRAMES=32768" (I was confused as to use export or not... export seems to be required.) Now it says "Using PCAP_FRAMES=32768" in daemon.log. Now I'll do this on my main snort sensor and see if there is any performance improvement. -----Original Message----- From: Nathaniel Richmond [mailto:nate+snort () richmond-family org] Sent: December 02, 2008 10:30 AM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Performance and rule tuning Replies inline. Nate Jefferson, Shawn wrote:
Hi, I have a couple of questions about performance and rule tuning. Performance: I'm seeing quite a bit of dropped packets on one of my sensors. Traffic is about 30-60 Mb/s. From the reading I've done, it seems like the first thing is to make sure your variables are set in snort.conf, and probably the next is to move to mmaped pcap. I've attempted to do both of these, however, I was wondering if snort is actually using the mmapped pcap or not. Is there any way to tell? I did the following: - apt-get remove libpcap-dev
Maybe you also need to remove the libpcap package.
- built the mmapped pcap - rebuilt snort - put PCAP_FRAMES=32768 in my script file that starts snort
You should then get "Using PCAP_FRAMES=32768" in /var/log/messages when you start Snort. The normal message without Phil Wood's libpcap is "Not Using PCAP_FRAMES". Phil Wood also has an example in the README on his site showing how to test PCAP_FRAMES after building tcpdump with his libpcap. http://public.lanl.gov/cpw/pcapREADME.html
There aren't many "how-to" articles out there for doing this, and I hope I did everything right. Rule Tuning: Is the optimal way of tuning out false positives using suppress rules in threshold.conf ? I am using oinkmaster to download new rules each day, so I'm assuming that commenting out rules won't work.
Use disablesid or enablesid in oinkmaster.conf to either comment out rules that are enabled by default or enable rules that are commented by default. If you want to disable a rule without running oinkmaster again then you can manually comment the rule. You should still add the disablesid line in your oinkmaster.conf or it will get re-enabled the next time you run Oinkmaster.
Thanks! Shawn ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Performance and rule tuning Jefferson, Shawn (Dec 02)
- Re: Performance and rule tuning (linux) Phil Wood (Dec 02)
- <Possible follow-ups>
- Re: Performance and rule tuning Nathaniel Richmond (Dec 02)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 02)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 03)
- Re: Performance and rule tuning Matt Jonkman (Dec 03)
- Re: Performance and rule tuning Joel Esler (Dec 03)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 04)
- Re: Performance and rule tuning Joel Esler (Dec 04)
- Re: Performance and rule tuning Todd Wease (Dec 04)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 02)