Snort mailing list archives
Re: A few questions regarding Solaris
From: Mike Lococo <mikelococo () gmail com>
Date: Tue, 31 Aug 2010 14:53:19 -0400
Thanks for your information regarding the SO_RULES about the source compiled, this means I will have to switch platforms completely. I'm thinking about CENTOS or Ubuntu, however it looks like Snort is not compatible with the latest Ubuntu release? (Talking about SO_RULES) and since they are in the midst of changing supported platforms I will most likely rebuild my HP system. Does that make the most sense? I'm not going to do anything with my current build until I form a plan of rebuilding a new OS. More fun, which I really don't have time to do but I do want to take advantage of the SO_RULES.
I don't have strong feelings about platform. I've always run on RedHat, which works for me. Lots of folks I respect use FreeBSD. I think pretty much any platform with pre-compiled SO_RULES is a first-class citizen with respect to running Snort.
CPU usage is nil, watching it now under 1% . . . memory is at 3%. I will look into turning on the performance monitor preprocessor, can I run this in daemon mode, if so how do I check the stats, can I log them to a file? Thank you very much for your help, I really do appreciate it!
Read the fine manual, there's a section on the perfmon preprocessor. It writes output to a file of your choosing in comma delimited format. I use Zabbix to collect and graph the columns I'm interested in because I already have it available for other system monitoring purposes and it works well. There are lots of other visualization tools, both snort/perfmon focused and generic unix graphic frameworks. For initial troubleshooting, you can also learn quite a lot just by tailing the csv file, although that gets tiresome eventually.
CPU - 2x dual core 2.3MHz chips Processor Cache: 4096KB The NICs is HP branded without own CPU, it has 4 gig NIC ports on each card. I'm only using one of these ports, as I originally planned to monitor more than one VLAN. I'm going to turn off the IRQs in the BIOS. I don't have too many rules turned on and not even using the SO_RULES, but I agree that it might be the shear amount of traffic going over the wire.
You haven't said how much traffic you actually have. As a random data-point, with stock intel ethernet cards I see a few percent loss at 50mbits (not megaBytes, megabits) on a 16 core system with 32gig of ram. With an Endace capture card, I push 1.4gigabits through a slightly smaller box with virtually no loss. I'm not sure how far folks are able to scale snort on commodity ethernet cards before they start losing packets, but I'd be surprised if it was much beyond 200 megabits per snort-process/ethernet-port. If you want to minimize this kind of low-level tuning, consider ponying up for a SourceFire box where this kind of work is done out of the gate. Good Luck, Mike Lococo ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A few questions regarding Solaris Robert Riskin (Aug 30)
- Re: A few questions regarding Solaris waldo kitty (Aug 30)
- Re: A few questions regarding Solaris Mike Lococo (Aug 30)
- Re: A few questions regarding Solaris Robert Riskin (Aug 31)
- Re: A few questions regarding Solaris Mike Lococo (Aug 31)
- Re: A few questions regarding Solaris Robert Riskin (Aug 31)
- Re: A few questions regarding Solaris Mike Lococo (Aug 31)
- Re: A few questions regarding Solaris Robert Riskin (Aug 31)