Re: Snort performance concerns

[sekure <sekure () gmail com>]

First place i'd look is disabling rules you don't need.  Not sure if
you've done that already, but many people are running with much larger
rulesets than what they need.  I was seeing the same thing you were,
for example, certain sensors are handling near 100Mbps with minimal
drops, while others are dropping packets at > 3Mbps.

After disabling some unnecessary rulesets the CPU utilization went way
down and i haven't seen any issues since.

I've seen the highest performance hit with the web-client rules for
some reason.  So disabling try that first.

On 9/30/05, Larry Wichman <larrywichman () yahoo com> wrote:
> I enabled Performance Monitor on my sensors and I have some concerns after
> looking at some of the performance stats. First, I have three sensors, two
> of which average 96mb/sec of traffic and the dropped packets percentage
> average is about 10% (proc and memory utilization are high, as expected). I
> have a third sensor that sees an average of about 5mb/sec and has the same
> amount of dropped packets, memory and proc utilization are minimal. I have
> implemented all the suggested optimizations (I think), patched Libpcap,
> etc….I can understand that there would be some dropped packets when the
> traffic is at a high, continuous load, but the third sensor with the same
> amount of dropped packets with only a fraction of the traffic  concerns me.
> I am thinking about upgrading the hardware (faster proc, bus speeds, etc…),
> but I might be wasting money if the stats are the same.  Does anyone have
> any input as to what is causing the dropped packets?
>
> Also, my boss told me to start evaluating commercial products. My first
> choice would be Sourcfire, I really do like working with Snort, but I need
> whatever product I choose to be able to handle the amount of traffic that we
> have. I would greatly appreciate any input on this. Cheers.
>
>
>
> Larry