Re: Snort-users Digest, Vol 37, Issue 18

[Joel Esler <jesler () sourcefire com>]

On Jun 15, 2009, at 10:56 AM, Pedro Marinho wrote:

> Hello gentlemen,
>
> A very smart person did tell me that the problem was with I/O  
> operations. Like the disk is the big villain here.. To confirm this  
> he told me to log in /dev/null instead of unified log and see if   
> the improvemet of the performance was big.. as you can see in the  
> snort statistics below it was big..
>
> so my question is..
>
> Is not a good thing to run the snort database at the same box you  
> are running snort when you are using it to watch huge traffic?? i  
> mean at a very high speed like 199954.80 kbits/sec
> should i log the alerts in another computer?

Well, that speed isn't terribly fast, however, it is advisable to run  
Snort and your DB on a separate box.  However, it looks to me, if you  
are using unified output format, logging to db using something like  
barnyard, your problem is probably not Disk I/O.  It might be lack of  
RAM, or a slow machine, small packet sizes..  etc..

Looks there may be something else at play here, try analyzing your  
performance monitoring stats (look in your snort.conf for performance  
monitoring logging).

Are you running a ton of rules or something?

J

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users