Snort mailing list archives

Re: Snort 2.0.4 CPU Utilization\Optimization

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Fri, 21 Nov 2003 09:27:12 +0100


Hi,

You probably do not have much space for further optimizations regarding
your system.

For your libpcap you may try settings like "PCAP_FRAMES=max snort ..."

Try further optimizing your ruleset, deactivating all unnecessary rules.
500 rules are not so many but my experience is, that for common server
environments something about 100-150 rules are more than enough.

It would be interessting to know how your network environment looks
like.

The next issue are the preprocessors. Do you need all of them?

http_decode:
Are you really using IIS as well as Apache? The only relevant setting
for Apache is "full_whitespace". You can deactivate the rest.

rpc_decode:
Concider deactivating

Stream4:
For memcap try something up to 32MBs. Checkt the memory consumption
anyway. What other processec dou you have on the machine running.

Stream4_reassemble:
Deactivate ports you're not using.
Port 53 -> DNS is using UDP, AFAIK Stream4_reassemble is for TCP only.

frag2:
timeout: 60 seconds -> Check how long your systems are waiting for
fragments. For ex. Linux will only wait 30s. Set this accordingly.
Give frag2 mor memory. If you have your sensor behind a Linux firewall
deactivate this preprocessor since Netfilter always defragments.

telnet_decode:
Concider dactivating.


Regards,
Edin

Mark Ewert schrieb:

Greetings,

[...]

Thanks in advance!


--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 20)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
  - Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
  - Re: Snort 2.0.4 CPU Utilization\Optimization Matt Kettler (Nov 21)
    - Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Tim (Nov 21)
- <Possible follow-ups>
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 20)
- RE: Snort 2.0.4 CPU Utilization\Optimization Kreimendahl, Chad J (Nov 20)
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Kreimendahl, Chad J (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Jason Haar (Nov 21)