Snort 2.0.5 dropping packets

["Sheahan, Paul" <Paul.Sheahan () priceline com>]

Any tips / recommendations?

I have a RHLinux 7.0 with 100mb NIC running at 100mb/s and running Snort 1.9.0 running default ruleset plus one custom 
rule file. The custom rule file has lots of content based rules. Our traffic level is usually around 35mb/s. On this 
box Snort works flawlessly and does NOT drop any pakcets and never has for years.

Now I built a new Snort server on beefier hardware running RHLinux 8.0 and Snort 2.0.5 and a gig NIC. The network it is 
on is running at 1000mb/s (gig) though traffic levels are the same as the old network (35mb/s). Yet Snort drops .2% 
(point 2 percent) of traffic on the default ruleset and when I add my custom rule file (which has a lot of content 
based rules), Snort drops massive amounts of packets (like 30 to 40%!)

Any ideas why this would happen when it didn't happen on the lower end box running at 100mb/s? Any tips on how I can 
avoid this? I confirmed that the gig nic is running at 1000mb/s as it should be and the port on the switch it is 
plugged into is forced at 1000mb/s.


Thanks,
Paul



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users