Re: Snort performance concerns

[Joel Esler <joel.esler () sourcefire com>]

Okay.  First of all, you need to upgrade your Snort Sensors.  2.4.2  
is out :)

Second of all, you need to output to unified and have Barnyard  
process your unified file to remove the output workload from Snort  
(and yes, it is alot)

Joel


On Sep 30, 2005, at 10:48 AM, Larry Wichman wrote:

> All three boxes have the same OS and hardware configuration
>
> Linux kernel 2.6
>
> 1.5 GHz proc
>
> 2 gb RAM
>
> Mgt network interface card is 3Com Corporation 3c905C-TX/TX-M  
> [Tornado]
>
> Promiscuous network interface card is Intel Corp. 82557/8/9  
> [Ethernet Pro 100]
>
>  Snort version 2.3.2
>
>
>
> My output method is database and my database is on the same VLAN  
> as  all the sensors Mgt interface. It is a high-end Dell server  
> with 4 procs and 4gb RAM and It is running Mysql on Windows 2003.
>
>
>
> Joel Esler <joel.esler () sourcefire com> wrote:
> If you are interested in Sourcefire products, we can definitely put  
> you in touch with someone that will be able to answer all your  
> questions..
>
> Can you please describe the systems that you have?  Hardware?  RAM,  
> processor... nic card..  OS..
>
> What is your output method?  database?  unified?  pcap?
>
> Joel Esler
> SOURCEfire
>
> On Sep 30, 2005, at 10:25 AM, Larry Wichman wrote:
>
> > I enabled Performance Monitor on my sensors and I have some  
> > concerns after looking at some of the performance stats. First, I  
> > have three sensors, two of which average 96mb/sec of traffic and  
> > the dropped packets percentage average is about 10% (proc and  
> > memory utilization are high, as expected). I have a third sensor  
> > that sees an average of about 5mb/sec and has the same amount of  
> > dropped packets, memory and proc utilization are minimal. I have  
> > implemented all the suggested optimizations (I think), patched  
> > Libpcap, etc….I can understand that there would be some dropped  
> > packets when the traffic is at a high, continuous load, but the  
> > third sensor with the same amount of dropped packets with only a  
> > fraction of the traffic  concerns me.  I am thinking about  
> > upgrading the hardware (faster proc, bus speeds, etc…), but I  
> > might be wasting money if the stats are the same.  Does anyone  
> > have any input as to what is causing the dropped packets?
> >
> > Also, my boss told me to start evaluating commercial products. My  
> > first choice would be Sourcfire, I really do like working with  
> > Snort, but I need whatever product I choose to be able to handle  
> > the amount of traffic that we have. I would greatly appreciate any  
> > input on this. Cheers.
> >
> >
> >
> > Larry