Snort mailing list archives
Re: snort dropping 48%
From: sgt_b <sgt_b () security-forums com>
Date: Thu, 06 May 2004 17:45:08 -0500
Sheahan, Paul wrote:
If you specify the -N switch it should not do any packet logging. I just tested this with `snort -d -l ./ -N -c /usr/local/etc/snort.conf'. It generates the alert file , but not any packet logs, sounds like you might not be using the -N switch properly (or the -N switch needs to be in a certain spot?). I could see how default packet logging could easily kill a server that runs on gigabit though. While this may contribute to it, it doesn't sound like the root of your problem though as you've previously tried logging binary format.Also Snort STILL creates individual directories for each address it encounters. So many directories get created in reaches the Linux limit after a while and crashes Snort. I suppose Snort could be so busy with this that it may be contributing to the packet loss?
Sheahan, Paul wrote:
The content rules are the issue, but it is still a mystery why old hardware and Snort version worked.
The real difference here is a amount of traffic snort needs to analyze. Gigabit ethernet is a 10x faster than standard. Thats a lot of packets! What we really need is a response from someone who effectively runs snort on a gigabit network. Can snort run "out of the box" on a gigabit network efficiently (given decent hardware of course) or does it need to be tweaked to prevent major packet loss?
As for your current situation Paul, would it be feasible to share the load between multiple sensors? Each sensor containing 100 of your custom rules? That might work to get every packet on the wire without having to sacrifice some of snort's features for speed.
Just an idea. :) sgt_b ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat SoftwareLearn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort dropping 48% Sheahan, Paul (Apr 28)
- Message not available
- Re: snort dropping 48% Matt Kettler (Apr 28)
- legit network-traffic generating tool? siddharth thakkar (Apr 28)
- Re: snort dropping 48% Matt Kettler (Apr 28)
- Message not available
- <Possible follow-ups>
- RE: snort dropping 48% Sheahan, Paul (May 06)
- Re: snort dropping 48% sgt_b (May 06)
- RE: snort dropping 48% Sheahan, Paul (May 06)
- Re: snort dropping 48% sgt_b (May 06)
- RE: snort dropping 48% Sheahan, Paul (May 06)
- RE: snort dropping 48% Frank Knobbe (May 06)
- Re: snort dropping 48% sgt_b (May 06)
- Re: snort dropping 48% Josh Berry (May 07)
- RE: snort dropping 48% Chuck Holley (May 07)
- RE: snort dropping 48% Michael Boman (May 10)
- Message not available
- RE: snort dropping 48% Josh Berry (May 07)
- RE: snort dropping 48% Josh Berry (May 07)