Snort mailing list archives
Re: snort performance vs traffic
From: Rob Hughes <rob () robhughes com>
Date: 10 Jul 2002 07:22:22 -0500
On Tue, 2002-07-09 at 09:27, Tim Prendergast wrote:
All, Curious to see what you are running in comparison to my config, because my snort is running out of memory and dying every day during the busy hours. We're pushing like 4 T-1's worth of traffic coming in from the net, not to mention the traffic from our internal machines across the 100mb switch I am snorting. It's on a box with a 500mhz PIII and 256mb of memory. Am I way under-arming this machine for this task?
What OS. What does your snort.conf look like? What output plugins are you using? Where are you logging to? But yes, possibly so, depending on your rule set. Try running a reduced rule set and only output to a binary log file and see if the problem continues. If not, then the box is underpowered. If it does, then it's probably something else. You may also need to look at things like barnyard which can de-couple the output of snort from the database process.
-- Remember: the only difference between being the champ and the chump is u.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- snort performance vs traffic Tim Prendergast (Jul 09)
- Re: snort performance vs traffic Chris Green (Jul 09)
- Re: snort performance vs traffic Erek Adams (Jul 09)
- RE: snort performance vs traffic Tim Prendergast (Jul 09)
- RE: snort performance vs traffic Erek Adams (Jul 09)
- Re: snort performance vs traffic Erek Adams (Jul 09)
- RE: snort performance vs traffic Tim Prendergast (Jul 09)
- Re: snort performance vs traffic Rob Hughes (Jul 10)
- <Possible follow-ups>
- RE: snort performance vs traffic Gray . Brendan (Jul 09)