Re: Stream4 and other stuff

[Victor Barahona <victor.barahona () uam es>]

> My suggestion would be to start disabling various Snort plugins and
> rules files to see where the performance hit is coming from and to
> report from there once you have.  I'm very interested in this data as
> well, since I don't have a highly utilized network to test on it's
> really difficult to test the performance of the system lately.  One
> thing that I have found puzzling lately is that it almost appears as if
> the performance of the pattern matcher has gone *down*, which isn't at
> all right.

Maybe this helps you.

I'm running snort (1.8beta6 build26) and analizing a line with 15-20 Mb/s, 
hardware is a PIII 256Mb with linux and running mysql and acid, oficial rules 
from snort.

Fist time I run snort the CPU go to 95% but after some probes I notice that 
when I comented the http rules the cpu came to 35%-40. After some probes 
more, I notice that when in the configuracion file was:

var HTTP_SERVERS [xxx.yyy.9.8,xxx.yyy.9.237,xxx.yyy.30.2]

The analice was CPU intensive 95% but when I chage to this:

var HTTP_SERVERS [xxx.yyy.0.0/16]

The CPU back to 40%

Regards

-- 
"Alone? you are not alone, Bigbrother is watching you"

------------------------------------------------------------------------
Victor Barahona Cabezon
http://rincon.uam.es/dir?cw=870938110351562            PGP ID-0x8750AB79
Soporte Seguridad en red........................http://www.utc.uam.es/ss
------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users