RE: Notes regarding success with snort 2.0 on low end hardware

["Petriz, Pablo" <ppetriz () siscat com ar>]

One word: didactic.

When i read your original mail i went to the snort manual, next the FAQs, 
but i feel that i was missing something. 

Thank you very much!


PABLO

> -----Mensaje original-----
> De: Matt Kettler [mailto:mkettler () evi-inc com]
> Enviado el: martes 17 de junio de 2003 12:40
> Para: Petriz, Pablo
> CC: 'snort-users () lists sourceforge net'
> Asunto: RE: Notes regarding success with snort 2.0 on low end hardware
>
>
> At 11:39 AM 6/17/2003 -0300, Petriz, Pablo wrote:
> > Hello Matt
> >
> > I am a "low end hardware" user too, and i want to know if 
> you can extend
> > your case a little bit and explain us (the non so technical 
> users of snort)
> > which are the pros, cons and howtos of the things you've set 
> up to do it.
> > "I had set up snort by disabling conversation and portscan2, 
> used the lowmem
> > config option and the -k none command line parameter and 
> tuned the ruleset
> > slightly. The process consumed a relatively meager 13mb of ram."
>
> Sure, I'll explain it a bit more, and if you've got further 
> questions feel 
> free to ask:
>
> Disabling conversation and portscan2:
> what it does: turns off two "resource hog" preprocessors in 
> snort that tend 
> to break low-end systems. (note: the conversation 
> preprocessor is the big 
> hog, and currently only exists to make portscan2 work the way 
> it does).
> how - edit snort.conf and comment out "preprocessor conversation: 
> <parameters>" and  "preprocessor portscan2: <parameters>"
> advantage - decrease in memory used and reduced packet-drop 
> rate due to 
> lower CPU overhead.
> disadvantage - you loose portscan2's ability to detect 
> portscanning of your 
> network. However on low-end hardware this preprocessor works 
> poorly as 
> dropped packets cause it to false-alarm, claiming "syn-ack" 
> scans anytime a 
> client in your network opens a webpage with large numbers of 
> images in them.
>
>
> Using the lowmem option:
> what it does: changes the way snort stores rule structures in 
> memory to the 
> same one used in snort 1.9.x. This uses a lot less memory, 
> but is slower 
> than the new method used by default in 2.0. If you have so 
> little memory 
> that using snort forces you to dig into a swap partition, 
> this can help 
> greatly.
> how - edit snort.conf and un-comment the line "config detection: 
> search-method lowmem"
> advantage - reduced memory usage (38 meg reduction on my 
> system, but will 
> vary depending on exact ruleset and network variables used.)
> disadvantage - slower processing of rules can cause increased 
> packet drops.
>
> Using the -k none parameter:
> what it does: disables IP checksum calculation in snort. If 
> snort is behind 
> a firewall or router that already re-assembles IP packets, 
> this check is 
> completely unnecessary, and even if snort is out in front the 
> check is of 
> limited value. It's certainly worth disabling these checks if your 
> packet-drop rate is unacceptably high due to a slow processor.
> how - add "-k none" to your command line when you start snort
> advantage - reduced packet-drop rate due to lower CPU overhead.
> disadvantage - snort won't detect packets with corrupted checksums.
 
 


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users