RE: Snort performance and maintenance

[Hubert Edward kIYIMBA <hekiyimba () yahoo com>]

Thanks for the Advice, i archived the alerts in a different database. I am currently reviewing the signatures. the 
machine performance has improved exponentially.
 
NB: those who face a similar challenge in future may refer to: 
http://www.andrew.cmu.edu/user/rdanyliw/snort/acid_archive_instruct.html

and www.mysql.com plus the snortinstallation manualas references

 

Thanks

 

HUBERT

Our World Is Here <info () lucretia ca> wrote:
Watch, read, learn.

There are no hard rules for this, time and understanding will allow you to
improve this.

Typical answer, reduce the rules you trigger alerts on, 5400+ rules is
crazy.

Remove alerts to a archive or delete them after a period of time. There is
no statute of limitations on this stuff (unless you have legal proceedings
in place in which case you should have made many copies of this data for
that purpose).

I have my main sensor on a Pentium II 350MHZ with 768MB of RAM, and a 9GB
hard disk and have no issues with performance. The database (logging) is on
a much faster server since I have many sensors. A PIII with 1GB of RAM and
a huge hard disk doesn't hurt.

As for tweaking MSSQL I wouldn't use this myself, I use Postgresql.

Cheers,

James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."
Info at lucretia dot ca
http://lucretia.ca


> -----Original Message-----
> From: Hubert Edward kIYIMBA [mailto:hekiyimba () yahoo com]
> Sent: Tuesday, November 01, 2005 9:17 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snort performance and maintenance
>
> My snort IDS has got 40GB Hard disk, 3GHz microprocessor
> speed and 1GB RAM. It is connected so as to capture traffic
> from the internet into the network. This machine has been
> running for three months now.
>
> The machine has deteriorated in performance. It is so slow.
> The ACID takes so long to load. The current statistics from
> the machine is as follows
>
> using command # free -t -m the following is displayed
>
> Total used free shared buffers cashed
> Mem 996 987 9 0 652 777
> -/+bufferscasche 147 849
> swap 2047 207 1840
> Total 3044 1195 1849
>
>
>
> using the top command I discovered that MS-SQL takes 40 to 50
> % CPU usage full time.
>
>
>
> I am seeking advice on how to improve the performance of the IDS
>
>
>
> Thanks
>
> ________________________________
>
> Yahoo! FareChase - Search multiple travel sites in one click.
> X3MDOTY2ODgxNjkEcG9zAzEEc2VjA21haWwtZm9vdGVyBHNsawNmYw--/SIG=110oav78o/**htt
p%> 3a//farechase.yahoo.com/>
>



                
---------------------------------
 Yahoo! FareChase - Search multiple travel sites in one click.