Re: snort performance vs traffic

[Rob Hughes <rob () robhughes com>]

On Tue, 2002-07-09 at 09:27, Tim Prendergast wrote:
> All,
>  
> Curious to see what you are running in comparison to my config, because
> my snort is running out of memory and dying every day during the busy
> hours.
>  
> We're pushing like 4 T-1's worth of traffic coming in from the net, not
> to mention the traffic from our internal machines across the 100mb
> switch I am snorting. It's on a box with a 500mhz PIII and 256mb of
> memory. Am I way under-arming this machine for this task?
>  

What OS. What does your snort.conf look like? What output plugins are
you using? Where are you logging to? But yes, possibly so, depending on
your rule set. Try running a reduced rule set and only output to a
binary log file and see if the problem continues. If not, then the box
is underpowered. If it does, then it's probably something else. You may
also need to look at things like barnyard which can de-couple the output
of snort from the database process.

>  
-- 
Remember: the only difference between
being the champ and the chump is u.

Attachment: signature.asc
Description: This is a digitally signed message part