Snort mailing list archives

RE: Dropping packets why?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 27 Oct 2003 20:37:29 -0500

At 06:50 PM 10/27/2003, Elijah Savage wrote:

Thank you all for reading my post but it seems you all did not read it
and looked at my measly hardware and wanted to jump all over it. But
this is for a cable internet connection 3megabitsDown/512up This machine
should be way more than enough to keep up considering some of the
hardware I have seen on some of the connections they are using.

Even at such a low data rate, a k6-2 will not be sufficient with thedefault preprocessor set.


You can read some of my notes here:

http://archives.neohapsis.com/archives/snort/2003-06/0228.html
http://archives.neohapsis.com/archives/snort/2003-06/0448.html

Admittedly I was using a p-166 and less ram and a lower-end NIC, but mydrop rates were nearly 30% with a more-or-less default setup (using tcpdumpbinary packet logging). I was sniffing a 2mbit/2mbit line, tapped using apure-passive 10mbit hub. This box was also not a router or anything elseand was 100% dedicated to using snort.

Using 100mbit nics is going to increase the short-term burst rate at whichpackets can arrive, this will make things a little worse for snort than Ihad.. You're also monitoring a line in which the downstream rate is 50%higher. And using your snort box as some kind of firewall/router, whichwill take some CPU away from snort, a problem I did not have (my snort boxdid nothing more than a pair of "block all" rules, and did no forwarding orrouting).










-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Dropping packets why? Elijah Savage (Oct 25)
- Message not available
  - Re: Dropping packets why? Matt Kettler (Oct 27)
- Re: Dropping packets why? Edin Dizdarevic (Oct 27)
- <Possible follow-ups>
- RE: Dropping packets why? O'Flynn, Derek (Oct 27)
  - Re: Dropping packets why? Michael Sierchio (Oct 27)
    - copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
    - RE: copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
    - Re: copious (snort_decoder) WARNING: Not IPv4 datagram! Geoff (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
  - Message not available
    - RE: Dropping packets why? Matt Kettler (Oct 27)
  - RE: Dropping packets why? Paul Schmehl (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)