Snort mailing list archives
RE: Dropping packets why?
From: "Elijah Savage" <esavage () digitalrage org>
Date: Mon, 27 Oct 2003 23:28:48 -0500
Thank you Matt for the links. -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, October 27, 2003 8:37 PM To: Elijah Savage; Michael Sierchio; snort-users () lists sourceforge net Subject: RE: [Snort-users] Dropping packets why? At 06:50 PM 10/27/2003, Elijah Savage wrote:
Thank you all for reading my post but it seems you all did not read it and looked at my measly hardware and wanted to jump all over it. But this is for a cable internet connection 3megabitsDown/512up This
machine
should be way more than enough to keep up considering some of the hardware I have seen on some of the connections they are using.
Even at such a low data rate, a k6-2 will not be sufficient with the default preprocessor set. You can read some of my notes here: http://archives.neohapsis.com/archives/snort/2003-06/0228.html http://archives.neohapsis.com/archives/snort/2003-06/0448.html Admittedly I was using a p-166 and less ram and a lower-end NIC, but my drop rates were nearly 30% with a more-or-less default setup (using tcpdump binary packet logging). I was sniffing a 2mbit/2mbit line, tapped using a pure-passive 10mbit hub. This box was also not a router or anything else and was 100% dedicated to using snort. Using 100mbit nics is going to increase the short-term burst rate at which packets can arrive, this will make things a little worse for snort than I had.. You're also monitoring a line in which the downstream rate is 50% higher. And using your snort box as some kind of firewall/router, which will take some CPU away from snort, a problem I did not have (my snort box did nothing more than a pair of "block all" rules, and did no forwarding or routing). ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Dropping packets why?, (continued)
- RE: Dropping packets why? O'Flynn, Derek (Oct 27)
- Re: Dropping packets why? Michael Sierchio (Oct 27)
- copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
- RE: copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
- Re: copious (snort_decoder) WARNING: Not IPv4 datagram! Geoff (Oct 27)
- Re: Dropping packets why? Michael Sierchio (Oct 27)
- RE: Dropping packets why? O'Flynn, Derek (Oct 27)
- Message not available
- RE: Dropping packets why? Matt Kettler (Oct 27)