Snort mailing list archives
RE: RE: snort performance
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Thu, 18 Apr 2002 15:46:14 -0500
From experience:
Since snort will only use one processor (though I know they plan to multi-thread)... Almost all of our limitations have been based solely on how much data one snort running on one processor could handle.... I'd estimate 1 CPU from a Netra T1 can handle @80-100Mbps with our setup. With HOME_NET as [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] (all the local addrs from whichever RFC that was) and EXTERNAL NET as any, I'm sure we could handle this much data on our T1s. Not that it's very affordable, but a Sun 440R should be able to handle @250Mbps per snort... (@1Gbps total)... But you'd have to separate it into
=4 streams. Of course, if you have only a firewall facing the internet,
and then have several connections coming back from it, you could easily span those separate streams beyond the firewall (from the internal switches), and you'd still have all your data. That would also let you shrink your HOME_NET to a much smaller net... And improve performance even more... I'd talk about optimizing HOME_NET and rules and snort config, but I think everyone else has covered that... -CJK _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort performance Christian Kuhtz (Apr 16)
- RE: snort performance Christian Kuhtz (Apr 16)
- <Possible follow-ups>
- RE: RE: snort performance Williams Jon (Apr 16)
- Re: RE: snort performance james (Apr 17)
- RE: RE: snort performance Christian Kuhtz (Apr 17)
- Re: RE: snort performance james (Apr 17)
- Re: RE: snort performance james (Apr 17)
- RE: RE: snort performance Williams Jon (Apr 18)
- RE: RE: snort performance Kreimendahl, Chad J (Apr 18)