Hi,
My first suggestion is don't use the pre-packaged snort. In general
compromises for the general case are used during compilation, download the
source and build it yourself. Secondly, blindly using all of snorts
pre-processors, filters and the like is off-the-bat doomed to fail. You
need to analyze your traffic, figure out what you don't even allow on your
network and remove the components you don't need. Thirdly, use the
unified log output format, it's designed for high performance. As part of
this you should also probably install barnyard to generate a single
unified log but this will be done by another process that doesn't need to
be in real-time (although it will be close). The idea is to off-load as
much as possible from the snort process to ensure you don't drop packets.
These are some off-the-top-of-my-head suggestions and should be a good
place to start. You really need to read through all of snort's
documentation though.
Ramon Kagan, GCIA
York University, Computing and Network Services
Information Security - Senior Information Security Analyst
(416)736-2100 #20263
rkagan@yorku.ca
----------------------------------- ------------------------------------
I have not failed. I have just I don't know the secret to success,
found 10,000 ways that don't work. but the secret to failure is
trying to please everybody.
- Thomas Edison - Bill Cosby
----------------------------------- ------------------------------------
On Sun, 29 May 2005, mamo wrote:
Hello Everybody.
On 5/21/05, Byron L. Sonne <blsonne@rogers.com> wrote:
It's not a vendor, but I've heard people have been running Snort quite
well on gig links.
In this days I am trying to configure Snort to analyze traffic on a
busy gigabit link (400-600Mbit), and I am finding I lose 60-80%
traffic with the default snort config on freebsd (with device polling
and some kernel tuning for sniffing purpose) with a quite good
hardware. From my first analysis it looks like the problem is in how
the prepocessor works and are configured (without preprocessor I can
process near all the traffic)
Is there anybody that used snort on gigabit connection that can share
with us experience and tuning tips?
Best Regards,
Mamo
PS
For sourcefire people or people that used their product.. What are the
difference between the snort engine in the sourcefire appliance and
the open source one?
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
