Snort mailing list archives
Re: Snort as Gigabit Sensor
From: twig les <twigles () yahoo com>
Date: Thu, 24 Jul 2003 12:14:11 -0700 (PDT)
We are doing something similar. 6509 with a gig card (fiber 3com) doing more than 14Mb without a problem. The box we are using isn't even that big: 2 PIII 1GHz CPUs, 1 gig old sdram. 2 things we chose specifically that may help us are: 1. we use a 66MHz, 64-bit PCI slot instead of a normal 33MHz one, 2. we have dual scsi controllers - one hard drive for the OS, one for the data. We also use FreeBSD, which I can't prove is faster than RH but I have to say that we use it because that is a significant difference between our setups. No OS wars in my name. So I guess I'm dodging the RH9 tuning question but you may have a bottleneck in the hardware. Also if you can't even get 14Mb of traffic without loss I'd check the cabling, switch interface, NIC driver, etc. too, that is just a really low number. --- Banniza Robert <Robert.Banniza () HCAhealthcare com> wrote:
Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit sensor? Currently, we are using a Broadcom Corporation NetXtreme BCM5703 Gigabit Ethernet (TG3 kernel module) Netgear card as the sniffing card. We have set up a span port so that we can see all traffic on a Cisco 6509. The sad thing is we are encountering 40% packet loss. The network interfaces were statically compiled into the kernel and /etc/sysctl.conf was modified with the following to provide larger buffers: # increase Linux TCP buffer limits net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.rmem_default = 65536 net.core.wmem_default = 65536 # increase Linux autotuning TCP buffer limits net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 65536 8388608 net.ipv4.tcp_mem = 8388608 8388608 8388608 # flush window size net.ipv4.route.flush=1 net.core.netdev_max_backlog=2500 We have not performed any rule tuning yet and the current sustained throughput we have seen through this connection is around 14Mb which is nowhere close to gigabit speeds. Any ideas? Thanks Robert ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort as Gigabit Sensor Banniza Robert (Jul 24)
- Re: Snort as Gigabit Sensor Erek Adams (Jul 24)
- Re: Snort as Gigabit Sensor Demetri Mouratis (Jul 24)
- Re: Snort as Gigabit Sensor twig les (Jul 24)
- Re: Snort as Gigabit Sensor Bennett Todd (Jul 24)
- Re: Snort as Gigabit Sensor Jeff (Jul 24)
- Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
- Re: Snort as Gigabit Sensor Jeff (Jul 26)
- DCOM exploit snort signature jason (Jul 27)
- Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
- Snort in Linux kernel mode Paul B. Poh (Aug 05)
- <Possible follow-ups>
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor twig les (Jul 24)
- Re: Snort as Gigabit Sensor Irwan Hadi (Jul 27)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)