Snort mailing list archives
Re: Hogwash anyone?
From: Michael Boman <michael.boman () securecirt com>
Date: Fri, 29 Nov 2002 11:34:09 +0800
On Thu, Nov 28, 2002 at 03:06:09PM -0000, Rochford, Paul wrote:
Hi, Just interested to hear back from anyone who has implemented hogwash as a packet scrubber in a production environment. Did you see any noticeable improvements/problems? Did it bring your network to a halt leaving you a babbling mess in the corner? Any response / comments welcome, Paul
I have done some quick testing of HogWash, and I came up with some pretty ugly figures. On a P3 Celeron 1.1Ghz & 256 Mb of RAM I only managed to push 13 Mbit/s on a 100 Mbit network (testing was done with 'netperf' (http://freshmeat.net/projects/netperf/?topic_id=150)). At this point the CPU was totally flooded. I think Hogwash bottleneck is that it uses libpcap to pull the data from the wire, inspect it and the use libnet to re-create the same packet on the other interface. I have yet to look into snort-inline, which seems like a more promising solution. But the lack of documentation and plain diff files (the tarball on snort.org is acctually a full 1.9b(something) with the snort-inline added to it) has so far put me off the path. Does snort-inline have a own webpage somewhere with more information, or is it to 'use the source, Luke'? (I've already tried to use google, but it seems like google is not as strong as the source ;) ) Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com
Attachment:
_bin
Description:
Current thread:
- Hogwash anyone? Rochford, Paul (Nov 28)
- Re: Hogwash anyone? Alberto Gonzalez (Nov 28)
- Re: Hogwash anyone? Michael Boman (Nov 28)
- <Possible follow-ups>
- RE: Hogwash anyone? Rochford, Paul (Nov 29)