Snort, the open source intrusion detection and prevention system (IDS/IPS), can be a fabulous tool to protect your network from attack – if it’s set up correctly. If it’s not, it can cause network traffic and performance problems. Here’s a rundown of how to use Snort’s built-in profiling tools to tune your setup and improve Snort’s performance.
Snort is generally used to monitor and analyze incoming network traffic, to detect potential probes and attacks of various sorts. Whilst the main powerhouse of Snort is the detection engine, not all attacks can be identified here, so it also has an array of preprocessors that either look at packets themselves or modify traffic before passing it to the detection engine. Obviously, this kind of analysis takes some system resources, and Snort can cause delays in your network traffic if it is not performing well. Inevitably, tuning Snort forces you to balance between the risk of intrusion and maintaining a smoothly functioning network, but by monitoring performance and tuning it carefully to your own systems and requirements, you can do your best to maximize both.
Snort provides its own performance monitoring tool, perfmon, as a preprocessor, with a long list of options. You can start using perfmon by adding a line to snort.conf:
preprocessor perfmonitor: time 300 flow events file snortfile perfstats.log
flow shows statistics about the type of traffic and protocols that Snort is seeing; events shows statistics about how many rules were evaluated and matched, and how many were evaluated and did not match. The file andsnortfile options say to log raw data to the file perfstats.log in the Snort log directory; alternatively, usingconsole rather than the file option outputs nicely formatted data to the console. console output is readily human-readable
|
|
|
Leave a Reply