Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: snort performance

From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Tue, 16 Apr 2002 16:37:08 -0500
I've had good luck through three paths.  The first one is to optimize the
order of the rulesets.  Turns out that the rule ordering has an impact on
the speed at which a good packet can go through the list, so if you move the
most specific rules (i.e. specific src/dst address and port, no
content/uricontent fields) to the top and the least specific (the good old
any any -> any any rules with content fields) to the end, you improve
snort's ability to find a match faster.

Second, don't use the [1.1.1.0/24,2.2.2.0/24] construct.  It is an extreme
performance hog.  What I've done is set up one snort process per HOME_NET I
want to watch and then use BPF on the command line to limit the traffic.
So, if I've got 6 class C's that I want to watch, I've got 7 snort
processes, one for each subnet and then a seventh that alerts on any packet
that shows up that isn't from or to the six known nets.  The seventh process
has been a real eye opener, too :-)

Third, remember that, even though you can limit your pass rules using all
the same fields as an alert rule, doing that means that you have to inspect
the innards of lots of packets that you wanted to drop without looking at.
When I realized this and removed the () part of the pass rules, my CPU
utilization dropped from ~97% used with no preprocessors to less than 45%
used with frag2, stream4, http_decode, telnet_decode, and rpc_decode!

Ah, I guess I should describe my environment.  One Compaq DL380 (dual 933
mhz PIII, 1 GB RAM, a pair of 18GB SCSI disks mirrored) running FreeBSD
4.5-RELEASE.  The box has two Intel Pro 10/100+ interfaces, one in stealth
mode for listening and one for control/reporting.  I'm monitoring ~40 mb/s
sustained with a snort.org rule set pruned down to 845 rules (184 chain
headers).  Under this configuration, I appear to be dropping maybe 1% of the
packets if Snort and the OS aren't lying to me the way Solaris does :-)

HTH.

Jon

-----Original Message-----
From: Christian Kuhtz [mailto:ck () arch bellsouth net]
Sent: Tuesday, April 16, 2002 4:08 PM
To: Christian Kuhtz; snort-users
Subject: [Snort-users] RE: snort performance



oops, i guess i should be shot for fatfingering the send button.
*sigh*  here's the rest of the info:


and os is


4.5-STABLE FreeBSD 4.5-STABLE #2: Tue Apr 9 16:45:57 EDT 2002

(cvsup'ed and built the same day)

does anyone have any performance tuning suggestions?  off-line import
via barnyard into mysql on another box is the desired mode of
operation.

we've played with binary logging vs unified etc, and it doesn't seem
to make much of a difference getting down from those very high levels
of packet drops.

anybody have pointers or tuning suggestions?

thanks,
chris



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: