Menu
▾
▴
Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3
|
From: Victor J. <vi...@nk...> - 2006-01-19 13:21:39
|
ni...@el... wrote: > Hi, list > following is my machine configuration > > Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC... > Memory:- 1GB > > The thing is after patching snort 2.3.3 with snort_inline patch... I have > 2 different configuration for Stream4 > > 1.) preprocessor stream4: disable_evasion_alerts > > In this case my CPU is less than 10 % for a set of traffic > > 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap > 134217728, timeout 3600, midstream_drop_alerts > > In this case my CPU hits 50% at specific intervals don't know interval is > random or some specific..... :) with same set of traffic.... > > Is it due to the inline modifications in stream4 ???? Yes, that is possible since stream4inline does a lot more work than normal stream4 (even in inline mode). This is because it constantly scans a reassembled buffer, which is more costly. However, you don't need to enable the stream4inline option to use stream4 in inline mode. I do however think that with the stream4inline option enabled, there is less chance that you miss an attack. Regards, Victor |
