Snort mailing list archives
Re: Snort-users Digest, Vol 37, Issue 18
From: Pedro Marinho <pppmarinho () gmail com>
Date: Mon, 15 Jun 2009 22:10:22 -0300
Joel, Ok thank you. I am not running a lot of rules. I am running this rules on that sensor. include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/sql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/mysql.rules include $RULE_PATH/smtp.rules include $RULE_PATH/info.rules include $RULE_PATH/emerging-virus.rules include $RULE_PATH/emerging-policy.rules include $RULE_PATH/emerging.rules ps: the shared object rules are turned off 2009/6/15 Joel Esler <jesler () sourcefire com>
On Jun 15, 2009, at 10:56 AM, Pedro Marinho wrote: Hello gentlemen, A very smart person did tell me that the problem was with I/O operations. Like the disk is the big villain here.. To confirm this he told me to log in /dev/null instead of unified log and see if the improvemet of the performance was big.. as you can see in the snort statistics below it was big.. so my question is.. Is not a good thing to run the snort database at the same box you are running snort when you are using it to watch huge traffic?? i mean at a very high speed like 199954.80 kbits/sec should i log the alerts in another computer? Well, that speed isn't terribly fast, however, it *is* advisable to run Snort and your DB on a separate box. However, it looks to me, if you are using unified output format, logging to db using something like barnyard, your problem is probably not Disk I/O. It might be lack of RAM, or a slow machine, small packet sizes.. etc.. Looks there may be something else at play here, try analyzing your performance monitoring stats (look in your snort.conf for performance monitoring logging). Are you running a ton of rules or something? J
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users Digest, Vol 37, Issue 18 Joel Esler (Jun 15)
- Re: Snort-users Digest, Vol 37, Issue 18 Pedro Marinho (Jun 15)
- Re: Snort-users Digest, Vol 37, Issue 18 Jason Wallace (Jun 16)
- Re: Snort-users Digest, Vol 37, Issue 18 Joel Esler (Jun 16)
- Re: Snort-users Digest, Vol 37, Issue 18 Pedro Marinho (Jun 16)
- Re: Snort-users Digest, Vol 37, Issue 18 Joel Esler (Jun 16)
- Re: Snort-users Digest, Vol 37, Issue 18 Pedro Marinho (Jun 16)
- Re: Snort-users Digest, Vol 37, Issue 18 Pedro Marinho (Jun 15)