RE: Snort and high-traffic lines

["Sam Ng" <sng () drasecurity com>]

I have more or less the same problem, my line is about 20-30M average,
single P4 1.7G, CPU loading 99%, obviously overloaded, traffic
segmentation seems to my only solution.

If I use spo_database, CPU loading is about 15-30, obviously due to the
blocking I/O, snort is a single thread program, if you use spo_databaes,
it wait the database server to finish the 5-8 insert/query SQL
statements before it can go back to do the sniffing job, so you can
expect you CPU can always be idle.

I think all spo_xx should be rewritten to use pthread or simply use
barnyard.

By the way, if you do traffic segmentation, don't do it by rules files,
best way is to do it is by IP (use pass rule or HOME_NET), taking out
some of the rules might not always make the system runs faster, if snort
can't find a matched rule, it keep running thru all the rules, hence, it
may takes longer time in searching.

Sam


> -----Original Message-----
> From: snort-users-admin () lists sourceforge net 
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
> Jens Krabbenhoeft
> Sent: Monday, September 30, 2002 3:33 PM
> To: snort-users mailing list
> Subject: [Snort-users] Snort and high-traffic lines
>
>
> Hi all,
>
>   I have been playing around with snort (1.9.0b6) quite a 
> while now, trying to get snort work with a big ruleset (~ 
> 1200 rules, HOME_NET set to one /19 and one /16, EXTERNAL_NET 
> set to any) in a high-traffic environment. 
>
> My first problem seemed to be the libpcap which dropped about 
> 0.5% of the packets on a 25MBit-average line. After having 
> installed the MMAP enabled pcap from Phil Wood, everything is 
> fine with the pcap (except RAM usage ;)).
>
> But after having solved the pcap-drops, snort began to drop 
> packets with the ruleset mentioned above and speeds over 
> 30MBit (snort drops about 40% of the packets on a 
> 65MBit-average line). To solve that problem I used snort's 
> binary logging (-b) and barnyard to log the incidents to the 
> database - but still drops with my ruleset.
>
> Snort seems to keep up with about 65MBit traffic with a <300 
> rules ruleset (and -b/barnyard) whereas snort logging to the 
> DB generates drops even with that small ruleset. 
>
> My snort-box is a PIII-700 (running linux at the moment) with 
> 256MB RAM, 3c905B Ethernet-Card. As I planned to have a 
> snort-box capable of snorting about - let's say - 200-300MBit 
> peak-traffic, I have a question to all the people out there 
> who successfully deployed snort in a high-speed environment.
>
> What would be the right hardware to snort that much traffic? 
> What would be the right OS? How can I improve snort's 
> performance in general (when changing the ruleset and 
> changing HOME/EXTERNAL_NET is not possible)? How did you 
> deploy snort successfully in a high-bandwidth environment? 
> Any tweaks for the OSes such as adjusting buffers, ...?
>
> Thanks in advance,
>
>       Jens
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users