Snort mailing list archives
Re: Who can explain this?where is the bottleneck?
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Fri, 16 May 2003 19:38:07 +0200
Hi, first: please try to use CR! Oh, I see, Outlook... forget it ;) Now: Is Snort loosing packets? What is the statistics saying? In Snort 2.0 the statistics seem to work good finally. Have you tried using perfmonitor? How many packets is Snort "seeing"? Take off all the machines and connect the tcpreplay-machine with the sensor with a crossover cable. Don't worry, it will work. Try using more memory on your sensor. Optimize your HD - Accoustic management off, UDMA5 transfer mode, 32Bit I/O-access, see hdparm --help. Try using 64Bit machines. Try other NICs (3Com). Turn only unified logging on. Are you using some IDS evasion techniques like insertion, fragmented packets, fake resets or similar? Run as few processes on your sensor as possible. rocky wrote:
I did some simple tests on snort on-line detection capacity yesterday. I check a tcpdump data with only 37 kinds of attacks.First, I turn off all useless precessors, indeed only frag2 and telnet remain opening.Snort2.0 check this data "off-line" with only 37 rules. There find about 7700 events in about 5 seconds. Then I inject the tcpdump data by tcpreplay from my traffic producer and detect the traffic on my sensor. Here are the detected events with different traffic rates: 150M 3522 100M 3791 80M 3851 50M 3941 20M 4163 10M 4271 I can not understand why snort can not find most events even in very low speed. I think it may be problem of my machines. My traffic producer is Intel 1.4G, 256RAM, Redhat 9.0, E1000 NIC. My snort sensor is Intel 2.4G, 512RAM, Redhat 9.0, E1000 NIC. Where is the bottleneck? How can I to detect all the events on-line? Thanks very much.
-- Edin Dizdarevic Networking Unit Internet- & e-Security iAS interActive Systems Gesellschaft fuer interaktive Medien mbH Dieffenbachstr. 33c 10967 Berlin Germany fon +49-(0)30 69 004-123 fax +49-(0)30 69 004-101 mail edin.dizdarevic () interActive-Systems de URL http://www.interActive-Systems.de/security ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Who can explain this?where is the bottleneck? rocky (May 16)
- Re: Who can explain this?where is the bottleneck? Edin Dizdarevic (May 16)
- <Possible follow-ups>
- RE: Who can explain this?where is the bottleneck? Ricardo, Gerson (May 16)