Snort mailing list archives

snort performance

From: "Christian Kuhtz" <ck () arch bellsouth net>
Date: Tue, 16 Apr 2002 17:02:42 -0400


hey gang,

we've got some performance issues we'd like to solicit everybody's
help on.

the specs of the system are as follows:

dual 1.7ghz p4 box
1gb rdram

and os is


and it's being fed traffic through a 100basetx iface, and it works out
to about 14,500 pps roughly.

snort's running currently as

/usr/local/bin/snort -b -D -c /usr/local/etc/rules/snort.conf -i xl1

here's a snapshot of top:

---(snip)----------------------------------------8<--------
last pid: 24607;  load averages:  1.07,  1.04,  0.96    up 7+00:12:20
17:02:00
24 processes:  2 running, 22 sleeping
CPU states: 50.0% user,  0.0% nice,  0.0% system,  6.6% interrupt,
43.4% idle
Mem: 26M Active, 504M Inact, 81M Wired, 4K Cache, 112M Buf, 392M Free
Swap: 3072M Total, 3072M Free

  PID USERNAME PRI NICE  SIZE    RES STATE  C   TIME   WCPU    CPU
COMMAND
24570 root      56   0 20580K 20296K CPU1   1   1:59 99.27% 99.02%
snort
 7416 root       2   0  2328K  1956K select 0   0:41  0.00%  0.00%
sshd
   61 root       2   0   964K   688K select 0   0:02  0.00%  0.00%
syslogd
   72 root      10   0  1004K   732K nanslp 0   0:02  0.00%  0.00%
cron
23964 root       2   0  2328K  1956K select 0   0:01  0.00%  0.00%
sshd
   74 root       2   0  2224K  1692K select 0   0:01  0.00%  0.00%
sshd
   76 root       2   0   916K   588K select 0   0:01  0.00%  0.00%
usbd
24607 root      28   0  1904K  1176K CPU0   0   0:01  0.00%  0.00% top
[..]
---(snip)----------------------------------------8<--------

here's a representative dump from a SIGUSR1.

---(snip)----------------------------------------8<--------
snort: Snort analyzed 2367845 out of 8721229 packets,
snort: The kernel dropped 6353074(72.846%) packets
snort: Breakdown by protocol:                Action Stats:
snort:     TCP: 2181802    (25.017%)         ALERTS:5072
snort:     UDP: 144381     (1.656%)          LOGGED:2877
snort:    ICMP: 9863       (0.113%)          PASSED:0
snort:     ARP: 18         (0.000%)
snort:    IPv6: 0          (0.000%)
snort:     IPX: 0          (0.000%)
snort:   OTHER: 31310      (0.359%)
snort: DISCARD: 0          (0.000%)
snort:
======================================================================
=========
snort: Fragmentation Stats:
snort: Fragmented IP Packets: 1161       (0.013%)
snort:     Fragment Trackers: 623
snort:    Rebuilt IP Packets: 538
snort:    Frag elements used: 1076
snort: Discarded(incomplete): 0
snort:    Discarded(timeout): 67
snort:   Frag2 memory faults: 0
snort:
======================================================================
=========
snort: TCP Stream Reassembly Stats:
snort:         TCP Packets Used: 2181514    (25.014%)
snort:          Stream Trackers: 628561
snort:           Stream flushes: 17999
snort:            Segments used: 43647
snort:    Stream4 Memory Faults: 111785
snort:
======================================================================
=========
---(snip)----------------------------------------8<--------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort performance Christian Kuhtz (Apr 16)
- RE: snort performance Christian Kuhtz (Apr 16)
- <Possible follow-ups>
- RE: RE: snort performance Williams Jon (Apr 16)
  - Re: RE: snort performance james (Apr 17)
    - RE: RE: snort performance Christian Kuhtz (Apr 17)
    - Re: RE: snort performance james (Apr 17)
- RE: RE: snort performance Williams Jon (Apr 18)
- RE: RE: snort performance Kreimendahl, Chad J (Apr 18)