Snort mailing list archives
RE: RE: snort performance
From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Tue, 16 Apr 2002 16:37:08 -0500
I've had good luck through three paths. The first one is to optimize the order of the rulesets. Turns out that the rule ordering has an impact on the speed at which a good packet can go through the list, so if you move the most specific rules (i.e. specific src/dst address and port, no content/uricontent fields) to the top and the least specific (the good old any any -> any any rules with content fields) to the end, you improve snort's ability to find a match faster. Second, don't use the [1.1.1.0/24,2.2.2.0/24] construct. It is an extreme performance hog. What I've done is set up one snort process per HOME_NET I want to watch and then use BPF on the command line to limit the traffic. So, if I've got 6 class C's that I want to watch, I've got 7 snort processes, one for each subnet and then a seventh that alerts on any packet that shows up that isn't from or to the six known nets. The seventh process has been a real eye opener, too :-) Third, remember that, even though you can limit your pass rules using all the same fields as an alert rule, doing that means that you have to inspect the innards of lots of packets that you wanted to drop without looking at. When I realized this and removed the () part of the pass rules, my CPU utilization dropped from ~97% used with no preprocessors to less than 45% used with frag2, stream4, http_decode, telnet_decode, and rpc_decode! Ah, I guess I should describe my environment. One Compaq DL380 (dual 933 mhz PIII, 1 GB RAM, a pair of 18GB SCSI disks mirrored) running FreeBSD 4.5-RELEASE. The box has two Intel Pro 10/100+ interfaces, one in stealth mode for listening and one for control/reporting. I'm monitoring ~40 mb/s sustained with a snort.org rule set pruned down to 845 rules (184 chain headers). Under this configuration, I appear to be dropping maybe 1% of the packets if Snort and the OS aren't lying to me the way Solaris does :-) HTH. Jon -----Original Message----- From: Christian Kuhtz [mailto:ck () arch bellsouth net] Sent: Tuesday, April 16, 2002 4:08 PM To: Christian Kuhtz; snort-users Subject: [Snort-users] RE: snort performance oops, i guess i should be shot for fatfingering the send button. *sigh* here's the rest of the info:
and os is
4.5-STABLE FreeBSD 4.5-STABLE #2: Tue Apr 9 16:45:57 EDT 2002 (cvsup'ed and built the same day) does anyone have any performance tuning suggestions? off-line import via barnyard into mysql on another box is the desired mode of operation. we've played with binary logging vs unified etc, and it doesn't seem to make much of a difference getting down from those very high levels of packet drops. anybody have pointers or tuning suggestions? thanks, chris _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort performance Christian Kuhtz (Apr 16)
- RE: snort performance Christian Kuhtz (Apr 16)
- <Possible follow-ups>
- RE: RE: snort performance Williams Jon (Apr 16)
- Re: RE: snort performance james (Apr 17)
- RE: RE: snort performance Christian Kuhtz (Apr 17)
- Re: RE: snort performance james (Apr 17)
- Re: RE: snort performance james (Apr 17)
- RE: RE: snort performance Williams Jon (Apr 18)
- RE: RE: snort performance Kreimendahl, Chad J (Apr 18)