Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Snort performance concerns

from [sekure] Network Security [Permanent Link]
Subject: Re: [Snort-users] Snort performance concerns
Date: Fri, 30 Sep 2005 10:40:57 -0400 
First place i'd look is disabling rules you don't need.  Not sure ifyou've done 
that already, but many people are running with much largerrulesets than what 
they need.  I was seeing the same thing you were,for example, certain sensors 
are handling near 100Mbps with minimaldrops, while others are dropping packets 
at > 3Mbps.
After disabling some unnecessary rulesets the CPU utilization went waydown and 
i haven't seen any issues since.
I've seen the highest performance hit with the web-client rules forsome reason. 
 So disabling try that first.
On 9/30/05, Larry Wichman <larrywichman@yahoo.com> wrote:>>> I enabled 
Performance Monitor on my sensors and I have some concerns after> looking at 
some of the performance stats. First, I have three sensors, two> of which 
average 96mb/sec of traffic and the dropped packets percentage> average is 
about 10% (proc and memory utilization are high, as expected). I> have a third 
sensor that sees an average of about 5mb/sec and has the same> amount of 
dropped packets, memory and proc utilization are minimal. I have> implemented 
all the suggested optimizations (I think), patched Libpcap,> etc….I can 
understand that there would be some dropped packets when the> traffic is at a 
high, continuous load, but the third sensor with the same> amount of dropped 
packets with only a fraction of the traffic  concerns me.> I am thinking about 
upgrading the hardware (faster proc, bus speeds, etc…),> but I might be wasting 
money if the stats are the same.  Does anyone have> any input as to what is 
causing the dropped packets?>> Also, my boss told me to start evaluating 
commercial products. My first> choice would be Sourcfire, I really do like 
working with Snort, but I need> whatever product I choose to be able to handle 
the amount of traffic that we> have. I would greatly appreciate any input on 
this. Cheers.>>>> 
LarryÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÓ†+ó^µéšŠX¬²š'²ŠÞu¼ÿ>Œ¬Ü†+^rÛ«y¬¢êÜx'§µêÿ·žr‰íz{ÿvŒ'–†?³÷b±Ë¬²*'³ö§vj+{øm¶ŸÿþÊ%ºØ¨žÏç{¢¸ýÊ&þ&æj·!þÙ©—ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿJz+·û¬z»&j)bž
      
b²Ô§¢»ÿºÇ«³ùb²Ûÿ²‹«qçè®ÿ?ëF¢Ú-†+D»hr§?ë¬zº)¶*'²ŠîžË›±Êâmïá¶ÚlÿÿåŠËlþÊ.­ÇŸ¢¸þw­þX¬¶ÏåŠËb?ú?²z+·û¬z»žŠíþë®Éb²Ö«r¯{øm¶Ÿÿÿ
0þ¨r¶°•êÿr‰¿­çb¯ûþ˜ißùb²žŠíþë
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Snort performance concerns, Joel Esler
Next by Date:  Re: [Snort-users] Snort performance concerns, Larry Wichman
Previous by Thread:  Re: [Snort-users] Snort performance concerns, Joel Esler
Next by Thread:  RE: [Snort-users] Snort performance concerns, Jeff Dell
Indexes:  [Date] [Thread] [Top] [All Lists]