Re: [Snort-users] droped packets
This is a discussion on Re: [Snort-users] droped packets within the Snort forums, part of the System Security and Security Related category; At 10:36 AM 12/28/2003, khaled fawzy wrote: >i run snort 2.0 over slackware the problem ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-29-2003
|
|||
|
|||
Re: [Snort-users] droped packets
At 10:36 AM 12/28/2003, khaled fawzy wrote:
>i run snort 2.0 over slackware the problem is my snort is dropping 55% >from packets . how can i make snort analyze all the packets . my snort >machine is P4 with 256 M RAM. 1) what kind of NIC do you have? if it's a Realtek 10/100mbit nic, toss it in a dumpster and buy a real network card. 2) Consider trying snort 2.1.x, or at LEAST make sure you're on 2.0.6... some things are a bit more efficient there. 3) tune. Make sure you've collapsed your HOME_NET and EXTERNAL_NET into as few ranges as possible.. multiple comma-separated ranges HURT badly. Turn off preprocessors that are hungry and you might not need.. portscan2 and conversation are very resource hungry Make sure your snort box isn't doing much else. Make sure you're not using something horribly inefficient for logging like text hex-dump packet logging. (if you have piles of subdirectories named after IP addresses, you might want to consider at least switching to tcpdump output) If you don't need checksum monitoring, try adding in -k none to the command line. >and my network is about 200 pc. and it is switched 100MB network. > >the scond : >can snort run in 1GB network? and if so what the minimumm requirements in >this snort machine. It's been done, but takes a LOT of tuning.. it also takes a lot of hardware, but once you're talking about reasonable hardware, tuning is the bigger factor in getting good speed. I'm not sure of the specifics for hardware to use, but aim high. Think dedicated snort-only system using dual CPU's with the highest clockrates you can get, a fast scsi raid array disk system for logging, an efficient OS, and a decent NIC. ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
