Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A few questions regarding Solaris

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 30 Aug 2010 12:35:27 -0400
On 8/30/2010 07:54, Robert Riskin wrote:

Also i'm running it on a heavily trafficed VLAN, lots of server and workstation
traffic, to/from Internet, etc.  I know that some alerts are being missed.  I
have tuned out a lot of the snort rulesets and use emerging markets and most of
the malware rulesets.  I still find myself missing alerts, for example i'll try
and hit one of the RBN sites and sometimes Snort will trigger and alert and
sometimes it won't.  Is there anything I can do to make sure it captures
everything without missing anything.  My box has 10GB of Ram and 500GB 10k
harddrives.  So i'm not sure where the bottleneck is.


ok, so you've told us your RAM size and HDs but what about other important factors?

what CPU chip are you using?
what speed is that CPU chip?
what NIC(s) are you using?
are they server grade with their own CPU on them?

you may be dealing with IRQ latency... are all not needed items turned OFF in 
BIOS so that those IRQs are free? are the NIC(s) on their own not-shared IRQs? 
are the NIC(s) on lower numbered IRQs?

if your box doesn't need serial or parallel ports, disable them in the BIOS and 
that should open IRQs 3, 4 and 7 (at least)...

it is also quite possible that your snort is just too busy and is simply not 
able to keep up with the traffic streaming over your NIC(s)... especially if you 
have a lot of rules enabled and even moreso if a lot of those rules are not as 
optimized as they could be...

some of the preprocessors have settings where you can limit the amount of items 
them hold for analysis and you can also set the amount of memory they may use... 
it could be that your system is spending more time looking thru memory at 
everything than in processing it and thus some of it slips by...

we need more information and details to really get any closer to the problem...

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: