Snort mailing list archives
Snort performance (was Re: Help with where to place ...)
From: Bennett Todd <bet () rahul net>
Date: Mon, 24 Jun 2002 11:41:52 -0400
2002-06-19-06:45:31 Poppi, Sandro:
I think snort can handle GB when the snort box and snort is highly tuned (not tested full GB speed yet).
I've not yet done enough testing to have a real feel for this from my own experience, but from what I've read and been told by others, I get the impression that snort, on a modern hot box (>>1GHz CPU, 512MB or more RAM), run with -A fast -b, can handle - c. 50Mbps easily with the default sigs and config; - >100Mbps with suitably careful tuning (careful placement, careful and appropriate customization of HOME_NET, good choice of interface card, etc.) - up to possibly 250-300Mbps flat out max without exotic custom hardware, limited by ability of the system to unload packets out of the interface buffer; to hit this range you have to be very very carefully tuning the signature set to include only the handful of signatures you're really critically interested in. Unless there's been a breakthrough I haven't heard about, neither Snort nor any other NIDS running under a general-purpose OS on general-purpose hardware can be expected to run greater than c. 300Mbps no matter how tightly you tune it. I try very hard to plan my deployments so that traffic passing the snort sensor is cleaned up by the outer layers of the firewall plant --- i.e. I place snort inside the proxy layer --- so that it doesn't have to deal with fragments and deliberate IDS-DoS attacks and failed attacks; and I try to plan things so that I don't expect more than 50Mbps to pass by snort's nose. While additional engineering effort can crank the levels up, I'm not wildly happy about increasing my manpower costs to buy just a factor of 2-4 performance boost. So far I've been able to keep the aggregate traffic down. If I should be unable to sometime in the near future, before snort (or PC hardware) performance improvements crank up to where I need, I expect I'd be shopping for a device that uses custom hardware to wind the performance way up. <URL:http://www.intruvert.com/> claim to be doing this, there are probably other companies competing in these realms as well. The other approach that people recommend for hitting the Gbps range is to use a special sort of loadbalancer, e.g. <URL:http://www.toplayer.com/>, to schmear the traffic out over a snort farm. Again, the engineering expense of creating and maintaining such a beast puts me off. This is a field that's developing so very very rapidly that it seems like a good idea to postpone big purchases as long as possible; if you can make do with what Snort can easily accomplish now, and worry about higher performance later, that's probably the best approach. Most folks confine their snort needs to its current performance abilities by deploying it on the perimeter; very few shops actually sustain >50Mbps outside (links that fast are pretty dear). Intruvert (and, I expect, their competitors whoever they are) are focused more on delivering IDS throughout your core networks, where snort (and ISS, and NFR, and ...) can't reach the needed performance. -Bennett
Attachment:
_bin
Description:
Current thread:
- AW: Help with where to place a Snort sensor! -newbi e questions- Poppi, Sandro (Jun 19)
- Snort performance (was Re: Help with where to place ...) Bennett Todd (Jun 24)
- RE: Snort performance (was Re: Help with where to place ...) Ashley Thomas (Jun 24)
- Snort performance (was Re: Help with where to place ...) Bennett Todd (Jun 24)