Snort mailing list archives
RE: snort behavior in very high-load environment, B SD vs. linux
From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Wed, 31 Jul 2002 10:13:56 -0500
While I haven't got nearly the load you've got, I'll share what I've found in my testing. First, I don't remember if it was Linux or another OS (Solaris?), but there's at least one Unix out there that lies about its packet drop rate, as it its hard coded to 0 in the kernel. In my testing of Slowaris vs. FreeBSD, this appears to be the case. Second, the single threading problem can be minimized if you use BSD and can segment your snort processes using command line BPF. For example, if you've got three /24 subnets, 10.0.1.0, 10.0.2.0, and 10.0.3.0, run one snort process for each with the BPF on the command line of "net 10.0.1.0" or whatever. By doing that, you can gain some of the benefits of having multiple processors (if your kernel is built for it) even with a single-threaded snort. As a side note, I've also found it worth running an N+1 process with a BPF of "not net 10.0.1.0 and not net 10.0.2.0 and not net 10.0.3.0" and alerting on any packet I see. This has been one of the most useful rules I've put together, since it shows me things that theoretically shouldn't be on my network. <grin> Next, depending on the traffic loads, you can run into performance issues based on the capabilities of your system. At really high speeds, things like your PCI bus width and disk write speeds are always an issue, but your memory bandwidth can also become an issue. As for rules, I'm actually getting to the point where I think I've got some of my networks profiled fairly well. I know basically what types of network traffic are allowed, what applications run there, things like that. Once you have that information, I believe that it is more useful to look for violations to normal than to spend time looking for what unknown "experts out there" say you should look for. For example, if I know that only TCP traffic is allowed on a WAN link, then create a rule that alerts when the protocol field is not TCP. Not only will you run fewer rules, I believe that this will give a better chance at detecting new viruses, as well. Finally, if you do use external rules, such as from snort.org, take a hard look at what rules you run. Get rid of as many as you can, try very hard not to use the address list construct (i.e. [1.1.1.1,2.2.2.2,3.3.3.3]), and try to optimize the order of the rules such that the most specific rules (specific addresses and ports) that don't have content: options are at the top and the least specific ones (any any -> any any) that use content: options are at the bottom. This helps break out of the critical path faster, so you waste less time looking at most packets. I hope this helps. Please let us know what your results are, since this information is very useful to many of us :-) Jon -----Original Message----- From: Adam D'Amico [mailto:adamico () speakeasy net] Sent: Tuesday, July 30, 2002 5:43 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort behavior in very high-load environment, BSD vs. linux Hello, I've been working with snort for a while now in an environment that seems to be on the bleeding edge of what should be snortable. I've gotten predictable results in some spots and weirdness in others. I thought I would share my results with everyone here, in the hope that someone might get use out of them, and maybe even have decent explanations for the weirdness. I've read through a lot of the previous threads having to do with packet loss and system tuning, but not much of it was applicable, given the network environment I'm running in. ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: snort behavior in very high-load environment, B SD vs. linux Williams Jon (Jul 31)
- RE: snort behavior in very high-load environment, B SD vs. linux Abe L. Getchell (Jul 31)