Snort mailing list archives
RE: Snort 2.0.4 CPU Utilization\Optimization
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Fri, 21 Nov 2003 12:34:36 -0600
Also make sure that your card's drivers support device polling. This will help a great great deal. -----Original Message----- From: Mark Ewert [mailto:mewert () ihcis com] Sent: Friday, November 21, 2003 12:03 PM To: Edin Dizdarevic Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort 2.0.4 CPU Utilization\Optimization I figure out another potential cause of my problem - the E1000 Nic in the system was supposed to be 64bit/133mhz for the PCI-X slot but it turns out to be only 32/66! So - NIC upgrade forthwith. M --------------------------------------------- Mark F. Ewert, Principal Systems Architect Integrated Healthcare Information Services www.ihcis.com -----Original Message----- From: Edin Dizdarevic [mailto:edin.dizdarevic () interActive-Systems de] Sent: Friday, November 21, 2003 3:27 AM To: Mark Ewert Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.0.4 CPU Utilization\Optimization Hi, You probably do not have much space for further optimizations regarding your system. For your libpcap you may try settings like "PCAP_FRAMES=max snort ..." Try further optimizing your ruleset, deactivating all unnecessary rules. 500 rules are not so many but my experience is, that for common server environments something about 100-150 rules are more than enough. It would be interessting to know how your network environment looks like. The next issue are the preprocessors. Do you need all of them? http_decode: Are you really using IIS as well as Apache? The only relevant setting for Apache is "full_whitespace". You can deactivate the rest. rpc_decode: Concider deactivating Stream4: For memcap try something up to 32MBs. Checkt the memory consumption anyway. What other processec dou you have on the machine running. Stream4_reassemble: Deactivate ports you're not using. Port 53 -> DNS is using UDP, AFAIK Stream4_reassemble is for TCP only. frag2: timeout: 60 seconds -> Check how long your systems are waiting for fragments. For ex. Linux will only wait 30s. Set this accordingly. Give frag2 mor memory. If you have your sensor behind a Linux firewall deactivate this preprocessor since Netfilter always defragments. telnet_decode: Concider dactivating. Regards, Edin Mark Ewert schrieb:
Greetings,
[...]
Thanks in advance!
-- Edin Dizdarevic ------------------------------------------------------------------------ --- This e-mail and the information transmitted within it is intended only for the recipient(s) to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of; or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please send the e-mail back to notify the sender and delete the message and its contents from any computers and network systems involved in its receipt. Thank you. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 20)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Matt Kettler (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Tim (Nov 21)
- <Possible follow-ups>
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 20)
- RE: Snort 2.0.4 CPU Utilization\Optimization Kreimendahl, Chad J (Nov 20)
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Mark Ewert (Nov 21)
- RE: Snort 2.0.4 CPU Utilization\Optimization Kreimendahl, Chad J (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Jason Haar (Nov 21)
- Re: Snort 2.0.4 CPU Utilization\Optimization Edin Dizdarevic (Nov 21)