RE: FW: Two questions...

["Bob Walder" <bwalder () nss co uk>]

Comments in-line

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Grimes,
Shawn (NIA/IRP)
Sent: 25 October 2001 04:03
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] FW: Two questions...


 Alright I have two questions that I haven't been able to find answers for.
Or at least answers that were satisfying.  Sorry if these are being repeated
but I didn't see anything in any of the forums or any of the recent messages
to this group.

 First the details:
Redhat linux 7.2 on a dual 1.3 GHz PIII w/ 1 Gig of RAM
Snort Version 1.8.1-RELEASE (Build 74)
dumping to a MySQL database using the latest stable release


 1).  Snort keeps logging two entries of each alert.  There is definately
only one instance of snort running, and there is only one interface that
it's monitoring/active.  Has anyone had similar problems?

Have you configured both alerts and log entries to go to your SQL database?
Although that might SEEM logical it results in many duplicate entries, since
an ALERT is also usually LOGged. Put them in separate places or log to
separate databases.

 2).  I'm on a network with probably 1,000 nodes.  The traffic ranges
anywhere from 5Mbit/sec and I've seen as high as 20Mbit/sec.  The CPU
utilization of SNORT is up to 99% constantly.  And I'm getting significant
packet losses as you can imagine.  Is this too high of a demand for SNORT?
If not, what are some ways I can lower the CPU usage and increase the amount
of packets SNORT can handle?  Thanks for any suggestions.

What network card are you using? We found significant performance increases
moving from 3Com to Intel NICs. But the biggest performance increase of all
was when we moved Snort from Red Hat Linux 7.1 to FreeBSD 4.3 - we noted a
500% increase in performance under certain conditions (with a stripped down
kernel). Under FreeBSD, Snort can quite happily handle in excess of 80Mbps
with all pre-processors and signatures active on a 1GHz PIII with 768MB RAM
and an Intel 10/100 NIC

My recommendation? While I do not want to spark one of those "religious" OS
wars, I would have to say that Linux sucks for IDS (and this is not just
based on our Snort testing) - if you want to use Snort, put it on BSD


 Thank You,
 Shawn Grimes
 NCTS
 Gerontology Research Center
 410-558-8007
 grimessh () grc nia nih gov



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users