Snort mailing list archives
Re: "Making Snort go fast under Linux..."
From: "Chan, Wilson" <wchan () honolulu gov>
Date: Wed, 24 Feb 2010 13:31:54 -1000
Found the settings for S5 and maxed out the queue and then the max bytes as it started to complain after bumping the
queue size up. I no longer see the "Session exceeded" warnings but it's still dropping packets at 3% vs less than 1%
when using the default search-method (AC-BNFA). Is this normal?
##-wc Default is max_queued_seg 2621, Max is 1GB (1073741824)
##-wc Default is max_queued_bytes 1024, Default 1048576 is 1MB & Max is 1GB (073741824)
##preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_tcp: policy first, \
use_static_footprint_sizes, \
max_queued_segs 1073741824, \
max_queued_bytes 1073741824
Wilson
-----Original Message-----
From: Chan, Wilson
Sent: Wednesday, February 24, 2010 1:04 PM
To: Edward Bjarte Fjellskål; snort-users () lists sourceforge net
Subject: Re: [Snort-users] "Making Snort go fast under Linux..."
Just applied one of the speed tweaks on how searches are performed (search-method ac vs default) and I immediately
noticed ram usage went up from 0.4% to 2.2% (Total ram is 12G). However, I noticed my dropped packets are now over 3%
where as the default search-method was less than 1%. I also noticed its complaining about S5: Session exceeded
configured max segs. How do I bump the the ram usage for S5? Thanks!
/etc/snort/snort.conf
##Enable (ac-bnfa: low memory, high performance OR ac: high memory, best performance)
config detection: search-method ac
[root@snort- snort]# service snortd stats
S5: Session exceeded configured max segs to queue 2621 using 2621 segs (server queue).
(0) : LWstate 0x48 LWFlags 0x6107
*** Caught Usr-Signal
===============================================================================
Packet Wire Totals:
Received: 6926559
Analyzed: 13354515 (192.802%)
Dropped: 249296 (3.599%)
Outstanding: 18446744073702874364 (266319020363543.781%)
===============================================================================
Wilson
-----Original Message-----
From: Edward Bjarte Fjellskål [mailto:edward.fjellskal () redpill-linpro com]
Sent: Wednesday, February 24, 2010 4:03 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] "Making Snort go fast under Linux..."
Hi list,
During the years, I have tried to gather some notes
on what can help "Snort go faster".
I summed it up in a blog post:
http://www.gamelinux.org/?p=81
If anyone here has any comments/improvements/tips etc,
I would be happy to hear about them, and include them
in my post for future reference.
E
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
- Re: "Making Snort go fast under Linux..." Randal T. Rioux (Feb 24)
- Re: "Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
- Re: "Making Snort go fast under Linux..." beenph (Feb 24)
- Re: "Making Snort go fast under Linux..." Ronny Vaningh (Feb 24)
- Re: "Making Snort go fast under Linux..." Mark W. Jeanmougin (Feb 25)
- Re: "Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
- Re: "Making Snort go fast under Linux..." Crook, Parker (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Randal T. Rioux (Feb 24)