Re: [Snort-users] Low Snort performances

This brings up an interesting point. There have been plenty of
tutorials and howto's on installing and configuring snort - but have
there been any on tuning the underlying OS for packet capturing?

On 19/04/2004, at 8:40 PM, Bob Walder wrote:
<snip>

> At the risk of starting another OS war, I can say that one of the main
> differences between our test rig and your sensor is that we used
> FreeBSD
> for the underlying OS. We have tried installing Snort on Linux before
> and noted a 500% performance hike when we moved to BSD on the same
> platform. This was under an older kernel and without all that fancy
> ring
> buffering PCAP stuff, but the results were enough to make us switch
> permanently from Linux to BSD for our Snort sensors, and we have never
> gone back to check difference with later versions.
>

<snip>

> Regards,
>
> Bob Walder
> Director
> The NSS Group
>
>
>
>
>
>>> -----Original Message-----
>>> From: snort-users-admin@lists.sourceforge.net
>>> [mailto:snort-users-admin@lists.sourceforge.net] On Behalf
>>> Of Gianluca Murgia
>>> Sent: 19 April 2004 11:02
>>> To: snort-users@lists.sourceforge.net
>>> Subject: [Snort-users] Low Snort performances
>>>
>>>
>>> Hi,
>>>
>>> I'm using snort 2.1 with a Dual Intel P3 1266MHz 2GB RAM, OS
>>> Redhat 7.3 ( kernel 2.4.18-3smp ). I use it to monitor the
>>> traffic on a fddi token ring network. The traffic can be up
>>> to 50MB/s and the network cards are SysKonnect SK-5844 10/100 Mb/s.
>>>
>>> The snort config file is set to reassemble the packets.
>>>
>>> The maximum rate I can sniff without loss of packets is up
>>> to 4Mb/s. What's the problem? Is there any kind of important
>>> setting on the machine that is missing? On the other hand,
>>> which settings or services must not be running on the
>>> machine in order to improve the performances?
>>>
>>>
>>> Thanks, Luca
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by: IBM Linux Tutorials
>>> Free Linux tutorial presented by Daniel Robbins, President
>>> and CEO of GenToo technologies. Learn everything from
>>> fundamentals to system
>>> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/sno>> rt-users
>>>
>>>
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.p...st=snort-users
>>>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users