Re: [Snort-users] Snort performance concerns
This is a discussion on Re: [Snort-users] Snort performance concerns within the Snort forums, part of the System Security and Security Related category; --Apple-Mail-6--540443993 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=WINDOWS-1252; delsp=yes; format=flowed ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-30-2005
|
|||
|
|||
Re: [Snort-users] Snort performance concerns
--Apple-Mail-6--540443993 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=WINDOWS-1252; delsp=yes; format=flowed If you are interested in Sourcefire products, we can definitely put =20 you in touch with someone that will be able to answer all your =20 questions.. Can you please describe the systems that you have? Hardware? RAM, =20 processor... nic card.. OS.. What is your output method? database? unified? pcap? Joel Esler SOURCEfire On Sep 30, 2005, at 10:25 AM, Larry Wichman wrote: > I enabled Performance Monitor on my sensors and I have some =20 > concerns after looking at some of the performance stats. First, I =20 > have three sensors, two of which average 96mb/sec of traffic and =20 > the dropped packets percentage average is about 10% (proc and =20 > memory utilization are high, as expected). I have a third sensor =20 > that sees an average of about 5mb/sec and has the same amount of =20 > dropped packets, memory and proc utilization are minimal. I have =20 > implemented all the suggested optimizations (I think), patched =20 > Libpcap, etc=85.I can understand that there would be some dropped =20 > packets when the traffic is at a high, continuous load, but the =20 > third sensor with the same amount of dropped packets with only a =20 > fraction of the traffic concerns me. I am thinking about =20 > upgrading the hardware (faster proc, bus speeds, etc=85), but I might =20= > be wasting money if the stats are the same. Does anyone have any =20 > input as to what is causing the dropped packets? > > Also, my boss told me to start evaluating commercial products. My =20 > first choice would be Sourcfire, I really do like working with =20 > Snort, but I need whatever product I choose to be able to handle =20 > the amount of traffic that we have. I would greatly appreciate any =20 > input on this. Cheers. > > > Larry --Apple-Mail-6--540443993 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=WINDOWS-1252 <HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; = -khtml-line-break: after-white-space; ">If you are interested in = Sourcefire products, we can=A0definitely put you in touch with someone = that will be able to answer all your questions..<DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>Can you please describe the = systems that you have?=A0 Hardware?=A0 RAM, processor... nic card..=A0 = OS..</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>What is = your output method?=A0 database?=A0 unified?=A0 pcap?</DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>Joel = Esler</DIV><DIV>SOURCEfire</DIV><DIV><BR><DIV><DIV>On Sep 30, 2005, at = 10:25 AM, Larry Wichman wrote:</DIV><BR = class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV><P = class=3D"MsoNormal"><FONT face=3D"Arial" size=3D"2"><SPAN = style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I enabled Performance = Monitor on my sensors and I have some concerns after looking at some of = the performance stats. First, I have three sensors, two of which average = 96mb/sec of traffic and the dropped packets percentage average is about = 10% (proc and memory utilization are high, as expected). I have a third = sensor that sees an average of about 5mb/sec and has the same amount of = dropped packets, memory and proc utilization are minimal. I have = implemented all the suggested optimizations (I think), patched Libpcap, = etc=85.I can understand that there would be some dropped packets when = the traffic is at a high, continuous load, but the third sensor with the = same amount of dropped packets with only a fraction of the traffic=A0 = concerns me.=A0 I am thinking about upgrading the hardware (faster proc, = bus speeds, etc=85), but I might be wasting money if the stats are the = same.=A0<O:P></O:P>=A0Does anyone have any input as to what is causing = the dropped packets? </SPAN></FONT></P><P class=3D"MsoNormal"><FONT = face=3D"Arial" size=3D"2"><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial"></SPAN></FONT><FONT face=3D"Arial" size=3D"2"><SPAN = style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Also, my boss told me to = start evaluating commercial products. My first choice would be = Sourcfire, I really do like working with Snort, but I need whatever = product I choose to be able to handle the amount of traffic that we = have. I would greatly appreciate any input on this. = Cheers.</SPAN></FONT></P><DIV><FONT face=3D"Arial" size=3D"2"><SPAN = style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT>=A0<BR = class=3D"khtml-block-placeholder"></DIV><P class=3D"MsoNormal"><FONT = face=3D"Arial" size=3D"2"><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial">Larry</SPAN></FONT></P></DIV></BLOCKQUOTE></DIV><BR></DIV></BODY></= HTML>= --Apple-Mail-6--540443993-- ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
