Home page logo

snort logo Snort mailing list archives

Re: Snort 2.9, RHEL 5 and afpacket DAQ
From: Rich Graves <rcgraves () gmail com>
Date: Wed, 20 Oct 2010 13:59:21 -0500

On Wed, Oct 20, 2010 at 1:12 PM, Jeff Kell wrote:

I had rebuilt snort 2.8.6 with libpcap 1.1.1 and  had some worse
performance than before, but then there was a discussion on one of the snort
lists regarding sids 4676 and 4677 in the oracle-rules being a pcre "hog".

Disabling those two sids dropped my average CPU over half...

Wow. Mine dropped over 2/3.

sid 4676 is limited to POSTs, so if you have a requirement to detect ancient
oracle attacks, keep that one and drop just 4677.

The problem of the maximum 49MB buffer on RHEL5 64-bit remains (does not
affect Ubuntu 64-bit or RHEL5 32-bit; I'd expect it to effect CentOS and
other rebuilds as well), but since I'm no longer regularly filling the
buffer, my 2.9.0 installation is now stable enough that I can start looking
at the new rule options, and hope the buffer issue gets addressed in 2.9.1.
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]