Snort mailing list archives
Re: Snort 2.9, RHEL 5 and afpacket DAQ
From: Michael Altizer <maltizer () sourcefire com>
Date: Wed, 20 Oct 2010 15:14:14 -0400
On 10/20/2010 02:59 PM, Rich Graves wrote:
I've replicated the issue on a 64-bit CentOS 5.5 VM. It's going to take some investigation from the kernel side of af_packet to figure out the issue since it appears to be limited to 64-bit CentOS/RHEL as you indicated. Unfortunately, they really don't make building a custom kernel with their source easy, but I'm getting there...On Wed, Oct 20, 2010 at 1:12 PM, Jeff Kell wrote: I had rebuilt snort 2.8.6 with libpcap 1.1.1 and had some worse performance than before, but then there was a discussion on one of the snort lists regarding sids 4676 and 4677 in the oracle-rules being a pcre "hog". Disabling those two sids dropped my average CPU over half... Wow. Mine dropped over 2/3.sid 4676 is limited to POSTs, so if you have a requirement to detect ancient oracle attacks, keep that one and drop just 4677.The problem of the maximum 49MB buffer on RHEL5 64-bit remains (does not affect Ubuntu 64-bit or RHEL5 32-bit; I'd expect it to effect CentOS and other rebuilds as well), but since I'm no longer regularly filling the buffer, my 2.9.0 installation is now stable enough that I can start looking at the new rule options, and hope the buffer issue gets addressed in 2.9.1.
-Michael
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.9, RHEL 5 and afpacket DAQ, (continued)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Ralf Spenneberg (Oct 19)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Ralf Spenneberg (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Eoin Miller (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Mike Lococo (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ beenph (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Rich Graves (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Russ Combs (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Rich Graves (Oct 21)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 22)