RE: Who can explain this?where is the bottleneck?

["Ricardo, Gerson" <gricardo () gableseng com>]

Rocky,
 
What output does IOSTAT or SAR give you as when you have your IDS system
in full operation?
 
Cheers,
 
 
Gerson
 
-----Original Message-----
From: rocky [mailto:rocky_maja () hotmail com] 
Sent: Friday, May 16, 2003 11:16 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Who can explain this?where is the bottleneck?
 
I did some simple tests on snort on-line detection capacity yesterday. 
I check a tcpdump data with only 37 kinds of attacks.First, I turn off
all useless precessors, indeed only frag2 and telnet remain
opening.Snort2.0 check this data "off-line" with only 37 rules. There
find about 7700 events in about 5 seconds. Then I inject the tcpdump
data by tcpreplay from my traffic producer and detect the traffic on my
sensor. 
Here are the detected events with different traffic rates:
150M   3522
100M   3791
80M    3851
50M    3941
20M    4163
10M    4271
 
I can not understand why snort can not find most events even in very low
speed.
I think it may be problem of my machines.
 
My traffic producer is Intel 1.4G, 256RAM, Redhat 9.0, E1000 NIC.
My snort sensor is Intel 2.4G, 512RAM, Redhat 9.0, E1000 NIC.
Where is the bottleneck?
How can I to detect all the events on-line?
 

Thanks very much.