Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Robert Riskin (freshbonesgmail.com)
Date: Tue Aug 31 2010 - 14:20:21 CDT
Mike thank you very much for the info, i'm curious how you have Zabbix watch
your perfmon file with certain columns. I use Zabbix in a separate
environment (and I love it) but am planning on deploying in production by
Yeah i'm going to rebuild the system with a supported SO_RULES platform.
I was thinking about going for a sourcefire box but I really enjoy building
and learning this stuff from the ground up, it's very informative and I gain
a greater insight into the network. However if I am experiencing massive
loss then I guess I have no choice but to go that route; i'd much rather do
Thank you again for your insight and help!
On Tue, Aug 31, 2010 at 2:53 PM, Mike Lococo <mikelococogmail.com> wrote:
> > Thanks for your information regarding the SO_RULES about the source
> > compiled, this means I will have to switch platforms completely. I'm
> > thinking about CENTOS or Ubuntu, however it looks like Snort is not
> > compatible with the latest Ubuntu release? (Talking about SO_RULES) and
> > since they are in the midst of changing supported platforms I will most
> > likely rebuild my HP system. Does that make the most sense? I'm not
> > going to do anything with my current build until I form a plan of
> > rebuilding a new OS. More fun, which I really don't have time to do but
> > I do want to take advantage of the SO_RULES.
> I don't have strong feelings about platform. I've always run on RedHat,
> which works for me. Lots of folks I respect use FreeBSD. I think
> pretty much any platform with pre-compiled SO_RULES is a first-class
> citizen with respect to running Snort.
> > CPU usage is nil, watching it now under 1% . . . memory is at 3%. I
> > will look into turning on the performance monitor preprocessor, can I
> > run this in daemon mode, if so how do I check the stats, can I log them
> > to a file? Thank you very much for your help, I really do appreciate it!
> Read the fine manual, there's a section on the perfmon preprocessor. It
> writes output to a file of your choosing in comma delimited format. I
> use Zabbix to collect and graph the columns I'm interested in because I
> already have it available for other system monitoring purposes and it
> works well. There are lots of other visualization tools, both
> snort/perfmon focused and generic unix graphic frameworks. For initial
> troubleshooting, you can also learn quite a lot just by tailing the csv
> file, although that gets tiresome eventually.
> > CPU - 2x dual core 2.3MHz chips
> > Processor Cache: 4096KB
> > The NICs is HP branded without own CPU, it has 4 gig NIC ports on each
> > card. I'm only using one of these ports, as I originally planned to
> > monitor more than one VLAN.
> > I'm going to turn off the IRQs in the BIOS.
> > I don't have too many rules turned on and not even using the SO_RULES,
> > but I agree that it might be the shear amount of traffic going over the
> > wire.
> You haven't said how much traffic you actually have. As a random
> data-point, with stock intel ethernet cards I see a few percent loss at
> 50mbits (not megaBytes, megabits) on a 16 core system with 32gig of ram.
> With an Endace capture card, I push 1.4gigabits through a slightly
> smaller box with virtually no loss. I'm not sure how far folks are able
> to scale snort on commodity ethernet cards before they start losing
> packets, but I'd be surprised if it was much beyond 200 megabits per
> If you want to minimize this kind of low-level tuning, consider ponying
> up for a SourceFire box where this kind of work is done out of the gate.
> Good Luck,
> Mike Lococo
> This SF.net Dev2Dev email is sponsored by:
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> Snort-users mailing list
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: