Re: Snort Performance Questions

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Hi Joel,

Mbit/s graph is attached.  I'm not sure about the fragmentation, I'll have to ask one of the network team here.  It 
could be that we have a lot of radio and satellite connections (??).

-----Original Message-----
From: Joel Esler [mailto:eslerj () gmail com] 
Sent: January 22, 2009 7:39 AM
To: Jefferson, Shawn
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Performance Questions

The line I don't see is Mbit/s.  How much traffic are you putting  
through here?

Aside from that, you have alot of fragmentation going on, any reason  
for that?

Joel

On Jan 21, 2009, at 5:23 PM, Jefferson, Shawn allegedly wrote:

> Sorry, I copy and pasted the pictures.  This time I'm attaching  
> them.  Trying to get under the 256KB limit on the list as well.
>
>
>
> ________________________________________
> From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
> Sent: January 21, 2009 9:22 AM
> To: Snort-users () lists sourceforge net
> Subject: [Snort-users] Snort Performance Questions
>
> Hi,
>
> I've got some questions about performance as well.
>
> How do I determine where my bottleneck might be?  What is typically  
> the performance bottleneck on a snort sensor?
>
> Now some details about my setup:
>
> I'm running Snort 2.8.3 on Ubuntu 8.0.4 on an HP 360 G4 server,  
> using the two built-in Broadcom NICs for management and monitor  
> ports.  I'm running MMPCAP and barnyard as well.  I'm running almost  
> all the snort rules and several of the ET rules.  I'd like to add  
> some more of the ET rules, but don't want an adverse impact on  
> performance.  Ideally, I'd like to see dropped packets at zero at  
> all times.
>
> There are two sensors each connected to a Cisco 6509 switch where  
> specific ports that I'm interested in watching have been put into a  
> port span group that I'm connected to.  So IDS1 and IDS2 are  
> connected to switch1 and switch2 respectively.  IDS1 also has BASE  
> and MySQL on it.  Switch1 also has the most traffic by far. I've  
> thought of switching them around so that the server with BASE and  
> MySQL is connected to switch2, where the traffic is very low, but  
> I'm wondering if this will actually improve performance or not,  
> since all alerts will have to be sent through the network to the  
> other server.
>
> Top shows memory usage as follows:
>
> Mem: 2075552k total, 669320k used, 1406224k free, 82640k buffers
> Swap: 2939852k total, 0k used, 2939852k free, 204024k cached
>
> Here's the output from perfstats / perfmonitor for IDS1 (hope  
> pictures are allowed):
>
> <snip pasted pictures>
>
> < 
> alerts_per_sec 
> .jpg 
> >
> < 
> bytes_per_pkt 
> .jpg 
> >
> < 
> cpu1_stats 
> .jpg 
> >
> < 
> drops 
> .jpg 
> >
> < 
> frag_events 
> .jpg 
> >
> < 
> kpackets 
> .jpg 
> >
> < 
> open_sessions 
> .jpg 
> >
> < 
> session_stats 
> .jpg 
> >
> < 
> stream_stats 
> .jpg 
> >
> < 
> syn_stats 
> .jpg 
> >
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  http://www.joelesler.net
  http://www.twitter.com/joelesler
[m]

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users