Snort mailing list archives
Snort on large loads.
From: "Wedge Breaker" <wedgebreaker () crackdealer com>
Date: Tue, 11 Dec 2001 12:31:39 -0800
Well I know that several large commercial sites are using snort on OC-12's at 622 Mbps on xeons without packet loss according to their claims
Really? That's a LOT of traffic! I didn't realize Snort was that fast - I did some testing a while ago w/ Snort (1.8.1 I think) and my tests didn't show that kind of capability. I'm running Snort now at my job at around 60Mbit/s sustained and 120Mbit/s peaks and I'm dropping stuff now and then. This is a PIII 800-something w/ 256M RAM and rocking Intel Gig card so it's no slouch in the hardware department. I definitely love Snort, but man, 600+ Mbit/s is a BIG matzo ball to swallow.
, so I wouldn't expect any issues with T3/DS3/OC1 at 45Mbps on modern hardware or even saturated fast ethernet at 100Mbps. 45 Mbps should barely make your snort sensor break a sweat.
Any caveats with this claim? I would think that 45Mbit/s of all web traffic could cause some trouble. Especially if you are doing protocol analysis to catch unicode type stuff. I'm not trying to sound blasphemic (honest!) - it's just that as an IDS admin for several years, I can say that my experience doesn't support these claims. Snort or otherwise, which leads me to...
Your mileage with other IDSes may vary :-).
Heh, heh, not going to argue with you there. I just read an article the other day where that joker Gula said they were having problems with like 300Mbit/s. I've worked w/ Dragon a little and found it to be fairly fast... Has anyone really put them to pace to see which is faster?
I think, as all the IDS vendors will eventually discover and the trade press will someday clue into, at higher rates, the problems do not lie only in the IDS software per se, as much as the interface drivers and OS architectures and that oh so fun PCI transfer and DMA interrupt bottleneck.
Hm. I've always thought that protocol analysis was much harder than sniffing traffic on a 64-bit PCI bus Gig card. I'm no programmer, so maybe I'm wrong? Honest Dragos, I'm not trying to attack you, just asking for some clarification on these claims... wb ------------------------------------------------------------ [- Get your own free e-mail @ http://www.crackdealer.com -] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on large loads. Wedge Breaker (Dec 11)
- Re: Snort on large loads. ... (Dec 11)
- <Possible follow-ups>
- RE: Re: Snort on large loads. Wedge Breaker (Dec 12)
- RE: Re: Snort on large loads. Robert D. Hughes (Dec 12)