Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] Snort performance concerns

from [Joshua Berry] Network Security [Permanent Link]
Subject: RE: [Snort-users] Snort performance concerns
Date: Fri, 30 Sep 2005 10:12:05 -0500 
I use the NAPI driver support for the Intel NIC's and that helps with
performance a little bit as well.

________________________________

From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jeff Dell
Sent: Friday, September 30, 2005 9:53 AM
To: 'Larry Wichman'
Cc: 'Snorty S Snortman'
Subject: RE: [Snort-users] Snort performance concerns


I am not sure if you are also using libpcap that supports MMAP mode(Phil
Wood's Ring Buffer), but you might want to try that out too.
 
http://public.lanl.gov/cpw/
 
Cheers,
Jeff


________________________________

        From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Larry
Wichman
        Sent: Friday, September 30, 2005 10:48 AM
        To: Joel Esler
        Cc: Snorty S Snortman
        Subject: Re: [Snort-users] Snort performance concerns
        
        

        All three boxes have the same OS and hardware configuration

        Linux kernel 2.6 

        1.5 GHz proc

        2 gb RAM

        Mgt network interface card is 3Com Corporation 3c905C-TX/TX-M
[Tornado]

        Promiscuous network interface card is Intel Corp. 82557/8/9
[Ethernet Pro 100]

         Snort version 2.3.2

         

        My output method is database and my database is on the same VLAN
as  all the sensors Mgt interface. It is a high-end Dell server with 4
procs and 4gb RAM and It is running Mysql on Windows 2003. 



        Joel Esler <joel.esler@sourcefire.com> wrote: 

                If you are interested in Sourcefire products, we can
definitely put you in touch with someone that will be able to answer all
your questions.. 

                Can you please describe the systems that you have?
Hardware?  RAM, processor... nic card..  OS..

                What is your output method?  database?  unified?  pcap?

                Joel Esler
                SOURCEfire

                On Sep 30, 2005, at 10:25 AM, Larry Wichman wrote:


                        I enabled Performance Monitor on my sensors and
I have some concerns after looking at some of the performance stats.
First, I have three sensors, two of which average 96mb/sec of traffic
and the dropped packets percentage average is about 10% (proc and memory
utilization are high, as expected). I have a third sensor that sees an
average of about 5mb/sec and has the same amount of dropped packets,
memory and proc utilization are minimal. I have implemented all the
suggested optimizations (I think), patched Libpcap, etc....I can
understand that there would be some dropped packets when the traffic is
at a high, continuous load, but the third sensor with the same amount of
dropped packets with only a fraction of the traffic  concerns me.  I am
thinking about upgrading the hardware (faster proc, bus speeds, etc...),
but I might be wasting money if the stats are the same.  Does anyone
have any input as to what is causing the dropped packets? 

                        Also, my boss told me to start evaluating
commercial products. My first choice would be Sourcfire, I really do
like working with Snort, but I need whatever product I choose to be able
to handle the amount of traffic that we have. I would greatly appreciate
any input on this. Cheers.

                        
                         

                        Larry
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-users] Snort performance concerns, Jeff Dell
Next by Date:  Re: [Snort-users] Re: [Snort-sigs] Bad escape sequence?, Ali Eghtessadi
Previous by Thread:  RE: [Snort-users] Snort performance concerns, Jeff Dell
Next by Thread:  RE: [Snort-users] Snort performance concerns, Richard Bejtlich
Indexes:  [Date] [Thread] [Top] [All Lists]