Do you know approximately how much traffic you are trying to monitor?
Definitely make use of the MMAPed pcap library recommended by someone
already, i saw some drastic improvements with it.
Also, enable perfmonitor, tell it to dump stats every minute or so and
let it run for 30 minutes. This will give you a better idea of the
throughput and the CPU utilization. Post those results back to the
list
When all else fails, you can start disabling rule sets. Do you really
need every single rule enabled?
On 10/26/05, Joseph Nicholson <wjnicholson@gmail.com> wrote:
These are onboard NIC's that came with the board I got from Supermicro.
2 x Intel(r) 82541 Gigabit Ethernet Controllers
I have been thinking about adding a PCI NIC just to see if there is a
difference.
On 10/26/05, Joshua Berry <JBerry@penson.com> wrote:
What kind of NIC's are you using on the Sensor? I have had some issues
with certain cards (mostly Realteks) on Linux, the Intel NIC's seem to work
the best and you can enable device polling (NAPI) in the kernel for some of
these cards as well which will boost performance.
________________________________
From: snort-users-admin@lists.sourceforge.net [mailto:
snort-users-admin@lists.sourceforge.net] On Behalf Of
Joseph Nicholson
Sent: Wednesday, October 26, 2005 8:25 AM
To: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Quick questions about recieved packets
I was afraid of that.
I have snort plugged into a Cisco 3560G Switch on a mirrored port. I am
mirroring 10 other ports on the switch currently. This is my core switch
and brings about 5 different network segments together. I am using the
Official Snort Rules and the Bleeding Snort Rules. Snort is setup to kick
out the Alerts via Syslog. The local Syslog function in Linux is setup to
send the Alerts to a Syslog appliance that parses all of my logs for me.
For testing I setup Snort to output Alerts via unified logging and that
didn't help any. I currently have both Tx and Rx being mirrored to my
monitoring port. I tried just Tx and just Rx and got the same result. The
monitor port is a Gigabit port and the monitoring ethernet port is running
at a Gigabit also. On the linux appliance that port is running in
promiscuous mode and has no IP. I have a management interface on the box
also that I use to send the syslog files across and that I log into to
manage the box.
Any thoughts or suggestions would be appreciated. This is the first
production Sensor I have setup. All my testing sensors apparently didn't
have enough traffic being pushed at them.
On 10/26/05, Richard Bejtlich <taosecurity@gmail.com > wrote:
Joseph Nicholson wrote:
I see that snort dropped 179457 packets because it couldn't process
them.
Snort received 186246 packets
Analyzed: 6789(3.645%)
Dropped: 179457(96.355%)
My gut instinct is telling me that it dropped 179457 packets because
it
felt there was no threat from them and that the 6789 it analyzed
looked
suspicious.
Hi Joseph,
You have a serious problem with your Snort deployment. The packets
Snort dropped were never inspected, period.
Can you describe your configuration? Are you sending Snort alerts
directly to a database, without Barnyard? Are you running any odd
rules?
Sincerely,
Richard
http://www.taosecurity.com
--
Joseph Nicholson
--
Joseph Nicholson
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
