Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Performance on a 'older' box

From: "Michael Devlin" <Michael.Devlin () gdnnet com>
Date: Wed, 1 Dec 2004 12:26:06 -0000
I have access to a number of Compaq 1850's and a couple of
decommissioned Dell's 1650's that I am converting into snort sensors.
However the first one that I am putting into action is having a bit of
trouble and I wouldn't mind your opinions on what the problem(s) could
be.

Setup.... Fedora Core 2 & Snort 2.2

Traffic througput is just less than 10Meg but it is ALL http traffic.

The CPU's (Dual 700Mhz PIII's) on the box are running at a paltry 3%-7%
constantly.
There is half a Gig of memory (could be more, but there is still 20%
free and the swap isn't being used)
NIC 100 Meg in full duplex

I would have expected the above to cope. However, before I trimmed a lot
of the excess rules I noticed I was getting around 1% dropped traffic.
After culling 'most' of the not needed rules (ie leaving only the HTTP
rules) I am now getting zero dropped packets.

First question. Monitoring a throughput of less than 10Meg, should I be
seeing dropped packets (especially with so much available CPU) (Note:
the NIC stats are not showing any dropped packets or errors)

Next question.... I am getting peculiar results with the http
preprocessor, for example, uricontent rules are being triggered on the
HTTP headers (like Cookie) or in some cases the middle of the
packets.... Also the URI max length of 300 is triggering on the middle
of packets. It looks as if the http preprocessor is working on
incorrectly assembled streams?

Any thoughts on what could be the problem/solution. Are both of these
indicative (as I am assuming) of an underpowered box? If so, where is
the bottleneck likely to be (the number of alerts btw is low so disk
speed shouldn't be playing to much of a role here.)

Your thoughts are much appreciated.

Michael Devlin


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: