Snort mailing list archives

Re: Performance questions

From: Chris Green <cmg () uab edu>
Date: Fri, 18 Jan 2002 15:58:45 -0600

Lucas de Carvalho Ferreira - BMS <lucas.ferreira () bms com br> writes:

1.  (*) text/plain          ( ) text/html           

Hello, 

I am trying to monitor a high traffic 100Mbs switch port with snort on a
433 MHz Celeron machine running Red Hat 7.2 but snort is dropping about
10% of the packets, even if the CPU load is at an average of 70% (seen
with top). Is there any configuration tips for snort or for the Linux
kernel to get better performance? Could it be an I/O performance
problem?


Disable unneeded rules, switch to fast + tcpdump logging instead of
full/database/xml/etc.

Need a lot more information on your current config to help you figure
out what needs to be done


-- 
Chris Green <cmg () uab edu>
"Yeah, but you're taking the universe out of context."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Performance questions Lucas de Carvalho Ferreira - BMS (Jan 18)
- Re: Performance questions Erek Adams (Jan 18)
  - Re: Performance questions John Sage (Jan 18)
- Re: Performance questions Chris Green (Jan 18)
- Re: Performance questions Saad Kadhi (Jan 18)
- RE: Performance questions Abe L. Getchell (Jan 18)
  - Re: Performance questions Olaf Schreck (Jan 19)
- <Possible follow-ups>
- RE: Performance questions Lucas de Carvalho Ferreira - BMS (Jan 21)
- RE: Performance questions Fernando Miguelez Palomo (Jan 22)
- RE: Performance questions Petriz, Pablo (Feb 01)
  - RE: RE: Performance questions Abe L. Getchell (Feb 03)