Snort mailing list archives
RE: Hogwash anyone?
From: "Rochford, Paul" <Paul.Rochford () itsis ie>
Date: Fri, 29 Nov 2002 10:53:42 -0000
Thanks for the comments I guess a ton of testing is required ;) -----Original Message----- From: Michael Boman [mailto:michael.boman () securecirt com] Sent: 29 November 2002 03:34 To: Rochford, Paul Cc: 'snort' Subject: Re: [Snort-users] Hogwash anyone? On Thu, Nov 28, 2002 at 03:06:09PM -0000, Rochford, Paul wrote:
Hi, Just interested to hear back from anyone who has implemented hogwash as a packet scrubber in a production environment. Did you see any noticeable improvements/problems? Did it bring your network to a halt leaving you a babbling mess in the corner? Any response / comments welcome, Paul
I have done some quick testing of HogWash, and I came up with some pretty ugly figures. On a P3 Celeron 1.1Ghz & 256 Mb of RAM I only managed to push 13 Mbit/s on a 100 Mbit network (testing was done with 'netperf' (http://freshmeat.net/projects/netperf/?topic_id=150)). At this point the CPU was totally flooded. I think Hogwash bottleneck is that it uses libpcap to pull the data from the wire, inspect it and the use libnet to re-create the same packet on the other interface. I have yet to look into snort-inline, which seems like a more promising solution. But the lack of documentation and plain diff files (the tarball on snort.org is acctually a full 1.9b(something) with the snort-inline added to it) has so far put me off the path. Does snort-inline have a own webpage somewhere with more information, or is it to 'use the source, Luke'? (I've already tried to use google, but it seems like google is not as strong as the source ;) ) Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com
Current thread:
- Hogwash anyone? Rochford, Paul (Nov 28)
- Re: Hogwash anyone? Alberto Gonzalez (Nov 28)
- Re: Hogwash anyone? Michael Boman (Nov 28)
- <Possible follow-ups>
- RE: Hogwash anyone? Rochford, Paul (Nov 29)