RE: Snort Performance on a 'older' box

["Michael Devlin" <Michael.Devlin () gdnnet com>]

I'm logging (on the box in question) to a local install of MySQL, aswell
as a binary file and using Acid to view alerts (again Apache is local to
the box).... Figuring that as there are mutliple local apps involved,
they (collectively) will benefit from the multiple CPU's.

I've also monitored the load being generated by Apache and MySQL and
it's minimal (as mentioned in the first email, alerts are showing up
quite infrequently.... Perhaps a couple per min at max.... But usually
only 1 or 2 every 10-15mins (the sensor is a good couple of layers into
a secured network))

I've considered implementing Barnyard and/or logging to a remote box...
But with so few alerts I'm struggling to see if this would solve the
problem at hand.

Thanks for the reply btw...

Michael

-----Original Message-----
From: Lance Boon [mailto:lboon () firststatebanksw com] 
Sent: 01 December 2004 15:13
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Performance on a 'older' box


Snort is not multiprocessor aware, how and what are you logging to? 


Subject: [Snort-users] Snort Performance on a 'older' box

I have access to a number of Compaq 1850's and a couple of
decommissioned Dell's 1650's that I am converting into snort sensors.
However the first one that I am putting into action is having a bit of
trouble and I wouldn't mind your opinions on what the problem(s) could
be.

Setup.... Fedora Core 2 & Snort 2.2

Traffic througput is just less than 10Meg but it is ALL http traffic.

The CPU's (Dual 700Mhz PIII's) on the box are running at a paltry 3%-7%
constantly. There is half a Gig of memory (could be more, but there is
still 20% free and the swap isn't being used) NIC 100 Meg in full duplex

I would have expected the above to cope. However, before I trimmed a lot
of the excess rules I noticed I was getting around 1% dropped traffic.
After culling 'most' of the not needed rules (ie leaving only the HTTP
rules) I am now getting zero dropped packets.

First question. Monitoring a throughput of less than 10Meg, should I be
seeing dropped packets (especially with so much available CPU) (Note:
the NIC stats are not showing any dropped packets or errors)

Next question.... I am getting peculiar results with the http
preprocessor, for example, uricontent rules are being triggered on the
HTTP headers (like Cookie) or in some cases the middle of the
packets.... Also the URI max length of 300 is triggering on the middle
of packets. It looks as if the http preprocessor is working on
incorrectly assembled streams?

Any thoughts on what could be the problem/solution. Are both of these
indicative (as I am assuming) of an underpowered box? If so, where is
the bottleneck likely to be (the number of alerts btw is low so disk
speed shouldn't be playing to much of a role here.)

Your thoughts are much appreciated.

Michael Devlin


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users