Snort mailing list archives
Re: Snort Performance Questions
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 21 Jan 2009 15:23:10 -0700
Sorry, I copy and pasted the pictures. This time I'm attaching them. Trying to get under the 256KB limit on the list as well. ________________________________________ From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: January 21, 2009 9:22 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] Snort Performance Questions Hi, I've got some questions about performance as well. How do I determine where my bottleneck might be? What is typically the performance bottleneck on a snort sensor? Now some details about my setup: I'm running Snort 2.8.3 on Ubuntu 8.0.4 on an HP 360 G4 server, using the two built-in Broadcom NICs for management and monitor ports. I'm running MMPCAP and barnyard as well. I'm running almost all the snort rules and several of the ET rules. I'd like to add some more of the ET rules, but don't want an adverse impact on performance. Ideally, I'd like to see dropped packets at zero at all times. There are two sensors each connected to a Cisco 6509 switch where specific ports that I'm interested in watching have been put into a port span group that I'm connected to. So IDS1 and IDS2 are connected to switch1 and switch2 respectively. IDS1 also has BASE and MySQL on it. Switch1 also has the most traffic by far. I've thought of switching them around so that the server with BASE and MySQL is connected to switch2, where the traffic is very low, but I'm wondering if this will actually improve performance or not, since all alerts will have to be sent through the network to the other server. Top shows memory usage as follows: Mem: 2075552k total, 669320k used, 1406224k free, 82640k buffers Swap: 2939852k total, 0k used, 2939852k free, 204024k cached Here's the output from perfstats / perfmonitor for IDS1 (hope pictures are allowed): <snip pasted pictures>
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Performance Questions Jefferson, Shawn (Jan 21)
- Re: Snort Performance Questions Joel Esler (Jan 21)
- Re: Snort Performance Questions Edward Bjarte Fjellskål (Jan 21)
- Re: Snort Performance Questions Jefferson, Shawn (Jan 21)
- Re: Snort Performance Questions Joel Esler (Jan 22)
- Re: Snort Performance Questions Jefferson, Shawn (Jan 22)
- Re: Snort Performance Questions Joel Esler (Jan 22)