Snort mailing list archives

Re: Snort on networks with heavy load.

From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Mon, 04 Feb 2002 23:20:26 +1100

John-Magne Bredal wrote:

Hi John,

I wonder if there are any other Snort-users that have any experience in
using Snort on heavily loaded networks? I would be glad to get some advice
on this matter. What have other people who are in the same situation done?
How to decrease the number of alerts? Are there any software/projects
developed that in any way that manages the high load? How to avoid
spamming the users with alerts?


I'm not sure of any software to reduce false-positive alerts, that's
usually done by admin intervention.

The first thing i would do is to apply bpf-style filters to the traffic
you are not interested in seeing. (Be wary, this means Snort will not
see such traffic at ALL). ICMP ping/pongs may be traffic you want to
ignore (depending on your level of paranoia vs noise). Either completely
or from certain hosts.

Network Management Systems also generate lots of noise. It may be wise
to exclude NMS polls from getting caught up in the IDS by way of
filters.

Filters are good because they prevent filtered packets reaching Snort
and lessen it's load, rather than Snort processing the packet and
ignoring the alert. Usefull for high-load noisy networks.

Currently I have removed a lot of signatures, and Snort is not getting all
our traffic. I am logging to a Mysql db, and using ACID as web-frontend
(which is SLOW btw). The number of daily alerts is between 5k and 10k.


Barnyard may be good to check out as well. It de-couples Snort's output
plugins to a seperate engine for processing.

It's still in beta, and when i tried to use it on Solaris it had some
issues, but others have reported success in more recent CVS versions. It
definately shows promise, anyway.

The last technique is to make sure the rules you use are relevant to
what your interested in seeing. Ie, the porn.rules policy may be using
unnecessary CPU cycles if your not interested in seeing users surfing
porn sites. (As you would) :)

It also helps to read the Snort FAQ, it has tidbits about speeding up
Snort.

It's also always good to run the most recent version of Snort/libpcap
you can.

Any help on the subject is greatly appreciated!


No worries. I hope the suggestions above are of some use.





Regards,

Chris.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on networks with heavy load. John-Magne Bredal (Feb 04)
- Re: Snort on networks with heavy load. Chris Keladis (Feb 04)
- <Possible follow-ups>
- Re: Snort on networks with heavy load. Thomas Springer (Feb 04)
- RE: RE: Snort on networks with heavy load. John-Magne Bredal (Feb 04)