Snort mailing list archives

RE: Snort 1.9.1 Dual Sensor

From: "Grime, Richard S" <richard.grime () imperial ac uk>
Date: Thu, 13 Mar 2003 18:41:53 -0000

Cheers... I guess I'll give the benchmarking a try.  We put Gentoo on the
(dual CPU) Snort box in an effort to make full use of the SMP.  This was
mainly because we're occasionally running other stuff on the box (generally
Pcap's of specific hosts over a monitoring period, etc.) - but, if as you
suggest, Snort will run more efficiently under two instances on SMP then
it's certainly worth a go...

I think I'll have to do the benchmarking statistically (as in traffic over x
days), as the promisc interfaces are both fibre cards and there's not really
another box around that can feed the replays.

Unless there's any other suggestions?

Thanks,

Richard

-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net] 
Sent: 13 March 2003 17:42
To: Grime, Richard S
Cc: 'Matt Kettler'; ANTONIO GUTIERREZ; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 1.9.1 Dual Sensor


2003-03-13T04:59:49 Grime, Richard S:

Does this mean there's a significant performance overhead to running with
bonded interfaces?


<snip>

No, a bonded interface is faster than two separate snorts, unless
one of the links is nearly idle (in which case it's the same), or
you have N CPUs for N snorts on a platform that does -really- good
SMP (in which case it could be slower, if the SMP support is good
enough).

<snip>

May I recommend you settle the performance question yourself?
tcpreplay <URL:http://tcpreplay.sf.net/> running with capture files
(remember if you grab 'em with tcpdump to use -s 0 so it'll capture
full packets rather than just headers) from your real monitoring
points. Snort running on a sensor with multiple interfaces,
connected by crossover cables to traffic generators.

-Bennett


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 1.9.1 Dual Sensor ANTONIO GUTIERREZ (Mar 11)
- Re: Snort 1.9.1 Dual Sensor Matt Kettler (Mar 11)
- <Possible follow-ups>
- RE: Snort 1.9.1 Dual Sensor Grime, Richard S (Mar 12)
- re: Snort 1.9.1 Dual Sensor Michael J. McCasland (Mar 12)
- RE: Snort 1.9.1 Dual Sensor Matt Kettler (Mar 12)
- RE: Snort 1.9.1 Dual Sensor Grime, Richard S (Mar 13)
  - Re: Snort 1.9.1 Dual Sensor Bennett Todd (Mar 13)
- RE: Snort 1.9.1 Dual Sensor Grime, Richard S (Mar 13)