OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Martin Roesch (roeschmd.prestige.net)
Date: Sun Mar 25 2001 - 21:29:00 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 

    --
Martin Roesch
roeschmd.prestige.net
http://www.snort.org

    attached mail follows:

    Check out the BUGS file that comes with Snort, it contains information on backtracing the core file. IF you could do that we'll take a stab at solving the problem...

    -Marty

    Siddhartha Jain wrote: > > I have 10% CPU utilization at approx. 10 Mbps on a Dual UltraSparc 450 Mhz > with 1 GB RAM. This is how my Snort is setup. I have a port each on two > switches configured as span ports for all the ports on the two switches. > Both these span ports are connected to a hub (a 10-BaseT) to which the wire > coming from the IDS box is also connected. > > And i have a problem, my snort dies after approx. two days giving a core > dump. So either the hub drops packets and snort dies trying to reassemble > the TCP stream (i get lot of "snort: [!] WARNING: TCP stream reassembler, > Server Bytes in Buffer > Buffer Size (33952 > 26520)" ) messages OR there is > a problem with Snort itself. Either, i could use some help with trying to > keep Snort 24x7. Could someone tell me how to inspect the core dump? > > Siddhartha Jain > > > > > I had a PIII 733 sitting at 100% CPU on anything above 19-20Mbps. Logging > > to a MySQL server on a separate box. I also have a PIII550 that would sit > > at 100% on anything above 15Mb/sec. On both of these boxes, snort was > > consuming 99% of the CPU. Maybe I need to throw snort some different > flags, > > which ones should I use to get the best performance? (I don't have the > ones > > I'm using now available at this moment). > > > > Jay > > > > -----Original Message----- > > > From: shawn . moyer [mailto:shawnnet-connect.net] > > > Also Jay, I'm not sure about your statement about 20Mbps > > > being too much > > > for Snort to handle. The general consensus seems to be that a > > > beefy box > > > running Snort with a fast bus and a lot of RAM logging to > > > binary format > > > can handle upwards of 90Mbps without a whimper. > > _________________________________________________________ > Do You Yahoo!? > Get your free yahoo.com address at http://mail.yahoo.com > > _______________________________________________ > Snort-users mailing list > Snort-userslists.sourceforge.net > Go to this URL to change user options or unsubscribe: > http://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users 

    --
Martin Roesch
roeschmd.prestige.net
http://www.snort.org

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users