Snort mailing list archives
Re: Snort on networks with heavy load.
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Mon, 04 Feb 2002 23:20:26 +1100
John-Magne Bredal wrote: Hi John,
I wonder if there are any other Snort-users that have any experience in using Snort on heavily loaded networks? I would be glad to get some advice on this matter. What have other people who are in the same situation done? How to decrease the number of alerts? Are there any software/projects developed that in any way that manages the high load? How to avoid spamming the users with alerts?
I'm not sure of any software to reduce false-positive alerts, that's usually done by admin intervention. The first thing i would do is to apply bpf-style filters to the traffic you are not interested in seeing. (Be wary, this means Snort will not see such traffic at ALL). ICMP ping/pongs may be traffic you want to ignore (depending on your level of paranoia vs noise). Either completely or from certain hosts. Network Management Systems also generate lots of noise. It may be wise to exclude NMS polls from getting caught up in the IDS by way of filters. Filters are good because they prevent filtered packets reaching Snort and lessen it's load, rather than Snort processing the packet and ignoring the alert. Usefull for high-load noisy networks.
Currently I have removed a lot of signatures, and Snort is not getting all our traffic. I am logging to a Mysql db, and using ACID as web-frontend (which is SLOW btw). The number of daily alerts is between 5k and 10k.
Barnyard may be good to check out as well. It de-couples Snort's output plugins to a seperate engine for processing. It's still in beta, and when i tried to use it on Solaris it had some issues, but others have reported success in more recent CVS versions. It definately shows promise, anyway. The last technique is to make sure the rules you use are relevant to what your interested in seeing. Ie, the porn.rules policy may be using unnecessary CPU cycles if your not interested in seeing users surfing porn sites. (As you would) :) It also helps to read the Snort FAQ, it has tidbits about speeding up Snort. It's also always good to run the most recent version of Snort/libpcap you can.
Any help on the subject is greatly appreciated!
No worries. I hope the suggestions above are of some use. Regards, Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on networks with heavy load. John-Magne Bredal (Feb 04)
- Re: Snort on networks with heavy load. Chris Keladis (Feb 04)
- <Possible follow-ups>
- Re: Snort on networks with heavy load. Thomas Springer (Feb 04)
- RE: RE: Snort on networks with heavy load. John-Magne Bredal (Feb 04)