RE: Snort performance concerns

["Jeff Dell" <jdell () activeworx com>]

I am not sure if you are also using libpcap that supports MMAP mode(Phil
Wood's Ring Buffer), but you might want to try that out too.
 
http://public.lanl.gov/cpw/
 
Cheers,
Jeff


  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Larry Wichman
Sent: Friday, September 30, 2005 10:48 AM
To: Joel Esler
Cc: Snorty S Snortman
Subject: Re: [Snort-users] Snort performance concerns



All three boxes have the same OS and hardware configuration

Linux kernel 2.6 

1.5 GHz proc

2 gb RAM

Mgt network interface card is 3Com Corporation 3c905C-TX/TX-M [Tornado]

Promiscuous network interface card is Intel Corp. 82557/8/9 [Ethernet Pro
100]

 Snort version 2.3.2

 

My output method is database and my database is on the same VLAN as  all the
sensors Mgt interface. It is a high-end Dell server with 4 procs and 4gb RAM
and It is running Mysql on Windows 2003. 



Joel Esler <joel.esler () sourcefire com> wrote: 

If you are interested in Sourcefire products, we can definitely put you in
touch with someone that will be able to answer all your questions.. 

Can you please describe the systems that you have?  Hardware?  RAM,
processor... nic card..  OS..

What is your output method?  database?  unified?  pcap?

Joel Esler
SOURCEfire

On Sep 30, 2005, at 10:25 AM, Larry Wichman wrote:


I enabled Performance Monitor on my sensors and I have some concerns after
looking at some of the performance stats. First, I have three sensors, two
of which average 96mb/sec of traffic and the dropped packets percentage
average is about 10% (proc and memory utilization are high, as expected). I
have a third sensor that sees an average of about 5mb/sec and has the same
amount of dropped packets, memory and proc utilization are minimal. I have
implemented all the suggested optimizations (I think), patched Libpcap,
etc..I can understand that there would be some dropped packets when the
traffic is at a high, continuous load, but the third sensor with the same
amount of dropped packets with only a fraction of the traffic  concerns me.
I am thinking about upgrading the hardware (faster proc, bus speeds, etc.),
but I might be wasting money if the stats are the same.  Does anyone have
any input as to what is causing the dropped packets? 

Also, my boss told me to start evaluating commercial products. My first
choice would be Sourcfire, I really do like working with Snort, but I need
whatever product I choose to be able to handle the amount of traffic that we
have. I would greatly appreciate any input on this. Cheers.


 

Larry