Snort mailing list archives

Re: "Making Snort go fast under Linux..."

From: "Chan, Wilson" <wchan () honolulu gov>
Date: Wed, 24 Feb 2010 14:15:20 -1000

Problem fixed. I guess I had to let snort settle in before checking the stats. Its back under 1% with the new 
Search-method. Thanks!


Wilson

-----Original Message-----
From: Chan, Wilson 
Sent: Wednesday, February 24, 2010 1:32 PM
To: Chan, Wilson; Edward Bjarte Fjellskål; snort-users () lists sourceforge net
Subject: RE: [Snort-users] "Making Snort go fast under Linux..."

Found the settings for S5 and maxed out the queue and then the max bytes as it started to complain after bumping the 
queue size up. I no longer see the "Session exceeded" warnings but it's still dropping packets at 3% vs less than 1% 
when using the default search-method (AC-BNFA). Is this normal?

##-wc Default is max_queued_seg 2621,   Max is 1GB (1073741824)
##-wc Default is max_queued_bytes 1024, Default 1048576 is 1MB & Max is 1GB (073741824)
##preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_tcp: policy first, \
                          use_static_footprint_sizes, \
                          max_queued_segs 1073741824, \
                          max_queued_bytes 1073741824

Wilson


-----Original Message-----
From: Chan, Wilson 
Sent: Wednesday, February 24, 2010 1:04 PM
To: Edward Bjarte Fjellskål; snort-users () lists sourceforge net
Subject: Re: [Snort-users] "Making Snort go fast under Linux..."

Just applied one of the speed tweaks on how searches are performed (search-method ac vs default) and I immediately 
noticed ram usage went up from 0.4% to 2.2% (Total ram is 12G). However, I noticed my dropped packets are now over 3% 
where as the default search-method was less than 1%. I also noticed its complaining about S5: Session exceeded 
configured max segs. How do I bump the the ram usage for S5? Thanks!

/etc/snort/snort.conf
##Enable (ac-bnfa: low memory, high performance OR ac: high memory, best performance)
config detection: search-method ac

[root@snort- snort]# service snortd stats

S5: Session exceeded configured max segs to queue 2621 using 2621 segs (server queue). 
(0) : LWstate 0x48 LWFlags 0x6107
 *** Caught Usr-Signal
 ===============================================================================
 Packet Wire Totals:
    Received:      6926559
    Analyzed:     13354515 (192.802%)
     Dropped:       249296 (3.599%)
 Outstanding: 18446744073702874364 (266319020363543.781%)
 ===============================================================================



Wilson

-----Original Message-----
From: Edward Bjarte Fjellskål [mailto:edward.fjellskal () redpill-linpro com] 
Sent: Wednesday, February 24, 2010 4:03 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] "Making Snort go fast under Linux..."

Hi list,

During the years, I have tried to gather some notes
on what can help "Snort go faster".

I summed it up in a blog post:
http://www.gamelinux.org/?p=81

If anyone here has any comments/improvements/tips etc,
I would be happy to hear about them, and include them
in my post for future reference.

E

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

"Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
- Re: "Making Snort go fast under Linux..." Randal T. Rioux (Feb 24)
  - Re: "Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
    - Re: "Making Snort go fast under Linux..." beenph (Feb 24)
    - Re: "Making Snort go fast under Linux..." Ronny Vaningh (Feb 24)
  - Re: "Making Snort go fast under Linux..." Mark W. Jeanmougin (Feb 25)
- Re: "Making Snort go fast under Linux..." Crook, Parker (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
  - Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
    - Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)