Snort mailing list archives
Performance Bottleneck
From: "Daniel R. Miessler" <danielrm26 () hotmail com>
Date: Fri, 18 Apr 2003 03:39:17 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I am running Snort Version 1.9.1-db (Build 231) and PureSecure by Demarc. It is sitting on a dual processor PII 500 with 512MB of SDRAM and SCSI internals running Mandrake 9.1. This seems all well and good, but I just dropped the box on a 100Mb segment, and the machine is being completely owned by the load. I am getting nearly half a million database events per 24 hour period, and it takes something like 2-3 minutes to perform most queries on the database after only a day of use (roughly 500,000 events). Top shows that Snort takes a solid 60-90% processor load during peak traffic times (only about 20-40% at night), and ANY search of the database whatsoever pegs the processors out at 99.9% usage. I understand that I could benefit from putting the sensor (Snort) and httpd on one machine, and putting the database on another, but I am wondering what else I am doing that is utterly lame enough to cause this problem. My current thoughts are that this is just a high traffic segment, and that I should go with a dual processor, all SCSI, P4 system, and install Gentoo on it and start over. My thinking is that the processor issue is the biggest problem and running a 4-5 year old machine on a 100Mb segment isn't the way to go. Thoughts? -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBPp+rl1Jwf7WiYT5vEQIKkwCgkK9ZRJYlQ2wdxq9EXHZT3zDsVRsAoIkK 6pmhovBiZjc/eWmg2VD0cvxh =ws2q -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Securing a Snort machine Elvira_Byrnes (Apr 16)
- Re: Securing a Snort machine Patrick S. Harper (Apr 16)
- <Possible follow-ups>
- RE: Securing a Snort machine Elvira_Byrnes (Apr 16)
- Re: Securing a Snort machine Michael Anderson (Apr 17)
- RE: Securing a Snort machine Matt Kettler (Apr 17)
- Re: Securing a Snort machine Saad Kadhi (Apr 18)
- Performance Bottleneck Daniel R. Miessler (Apr 18)
- RE: Securing a Snort machine Elvira_Byrnes (Apr 16)
- RE: Securing a Snort machine Semerjian, Ohanes (Apr 17)
- RE: Securing a Snort machine Semerjian, Ohanes (Apr 17)
- Re: Securing a Snort machine M M (Apr 17)
- RE: Securing a Snort machine Dean Scott (Apr 17)
- RE: Securing a Snort machine Elvira_Byrnes (Apr 22)