Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort performance

From: Thomas Springer <tuev () serveraudit net>
Date: Wed, 09 Jan 2002 13:27:09 +0100
I've got a performance-problem:

We're running snort 1.8.3 on a Celeron 700/256MB RAM/Suse 7.3, monitoring a
network with about 10 MBit/s IP-Traffic.
We're using the standard-ruleset and the standard snort.conf, at the moment
we log with "-A fast -b -d".

Snort works fine, but it eats up between 50 and 99 percent CPU-time,
regardless if I use standard-logging, -A fast -b or the
output-unified-plugin. I even tried to exclude a big Gateway-Host with "not
host fat_inet_gate" - this reduces traffic to approx 7 MBit/s, but the
serverload stays the same.

Are there any known ways to optimize performance and reduce serverload?

I found, that un-defining a home-net reduces the cpu-load:
"var HOME_NET [217.x.x.0/24,193.x.x.0/24]"      means 60-90% cpu-load
"var HOME_NET any" means 30-60% cpu-load

Any hints for further optimizing ??

Will a rearrange of the rule application order help?
I'm using the standard "->activation->dynamic->alert->pass->log" at the
moment.

ts


Thomas Springer


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: