Snort mailing list archives

Re: Snort as Gigabit Sensor

From: Irwan Hadi <irwanhadi () phxby com>
Date: Sun, 27 Jul 2003 01:23:51 -0600

On Thu, Jul 24, 2003 at 02:27:15PM -0500, Banniza Robert wrote:

Here's a little more information I forgot to provide in the first post. The
machine is an IBM x335 Xeon with dual 2.6Ghz procs and 1GB RAM. As for the
logging portion, I am not using Barnyard (yet)....We were setup to log to
Postgres and to syslog. However, we did notice something interesting...With
all logging turned off and just sniffing with the default ruleset, we were
still dropping packets. Also, by placing 8 pass rules in local.rules, this
accounted for about 6-7% of the packet loss. Therefore, if we turned the
pass rules off (commented out local.rules), our packet loss would drop down
to 33% or so.

First thing I would try is to throw away the Broadcom card that you have
and replace it to either Intel (preferably) or 3com.
the Broadcom card has always causing problem on Linux (on Dell Server
usually it makes the system locks up, etc.)

Robert

-----Original Message-----
From: Demetri Mouratis [mailto:dmourati () cm math uiuc edu]
Sent: Thursday, July 24, 2003 2:19 PM
To: Banniza Robert
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Snort as Gigabit Sensor


On Thu, 24 Jul 2003, Banniza Robert wrote:

Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
sensor? Currently, we are using a Broadcom Corporation NetXtreme BCM5703
Gigabit Ethernet (TG3 kernel module) Netgear card as the sniffing card. We
have set up a span port so that we can see all traffic on a Cisco 6509.

The

sad thing is we are encountering 40% packet loss. The network interfaces
were statically compiled into the kernel and /etc/sysctl.conf was modified
with the following to provide larger buffers:

<snip>

We have not performed any rule tuning yet and the current sustained
throughput we have seen through this connection is around  14Mb which is
nowhere close to gigabit speeds. Any ideas?



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort as Gigabit Sensor, (continued)
- Re: Snort as Gigabit Sensor Demetri Mouratis (Jul 24)
- Re: Snort as Gigabit Sensor twig les (Jul 24)
- Re: Snort as Gigabit Sensor Bennett Todd (Jul 24)
- Re: Snort as Gigabit Sensor Jeff (Jul 24)
  - Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
    - Re: Snort as Gigabit Sensor Jeff (Jul 26)
    - DCOM exploit snort signature jason (Jul 27)
- Snort in Linux kernel mode Paul B. Poh (Aug 05)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
  - RE: Snort as Gigabit Sensor twig les (Jul 24)
  - Re: Snort as Gigabit Sensor Irwan Hadi (Jul 27)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor Hutchinson, Andrew (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
  - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
    - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
    - Re: Snort as Gigabit Sensor Chris Green (Jul 31)

(Thread continues...)