Snort mailing list archives
Re: Gigabit NIC's and snort hardware required??
From: Bennett Todd <bet () rahul net>
Date: Fri, 6 Jun 2003 08:57:48 -0400
2003-06-05T23:42:03 Zach Forsyth:
When I use the command :> snort -vi2, shouldn't that be a very fast running version of snort?
When I check the man page, it says: -v Be verbose. Prints packets out to the console. There is one big problem with verbose mode: it's slow. If you are doing IDS work with Snort, don't use the '-v' switch, you WILL drop pack- ets. That's for snort-2.0.0, but I really don't think this has changed. It's very basic.
It is only logging to the dos window I run it in. Is it using any rules when run in this way?
No, to get snort to run rules as an IDS you use "-c" to aim it at a snort.conf. And in the snort manual (available at <URL:http://www.snort.org/docs/writing_rules/>), right in the top, at "1.4 Network Intrusion Detection Mode" it says: [...] if Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display.
I was under the impression that if it could not keep up with that command when I tell it to log or alert to a DB it would be even worse.
No, the other way around, if you're telling snort to log every packet to the screen, it'll be one slow little piggy. The starting point command you want is something along the lines of "snort -b -A fast -c .../snort.conf", modulo the differences between Unix and Windows commandlines. If you want to cram your alerts into a DB, and you also care about performance, you will positively want to use the unified binary output format feeding Barnyard. Or else to craft up something custom, using either -A fast or syslog to another machine, and feeding the DB on another machine with a file-tailer.
P4 Xeon - does Xeon make a big difference? does it matter if it is dual or not?
If you only run snort on that machine, and do the DB feeding somewhere else, dual should make less difference. If you tune to the point where you don't have too many alerts dual will certainly not make a difference. Snort itself is one single-threaded process.
512mb or 1gb ddr ram - ram speed help, or just amount?
I'm not up to date on different flavours and speeds of RAM. Slower can't be better, though. With even the least bit of tuning 512M can be fine, but if it's not too dear to expend 1gb that completely removes any worry that snort might want a little more memory than it can get (==> _slow_).
SATA or SCSI raid? Does disk speed make a huge difference?
I built hot little snorters with simple plain IDE drives. You get speed by ensuring snort doesn't need to write much. If snort is having to write so much that disk speed matters, you'll have a slow snorter; high alert volumes force snort to spend too much time whinging and too little time analyzing. Now if you're cramming alerts into a DB, the _separate_ machine the DB runs on should have fast disks. Windows instead of Linux may change this picture in some way, I don't know.
In order if importance to snort speed: Tuning Pci bus and gb card speed memory Processor
I'd rank those Memory + Tuning Processor bus & card speed Memory is mandatory. If snort doesn't fit in real memory, you're doomed. Tuning is mandatory if you want to keep up with more than roughly 50Mbps (in my experience, possibly newer hardware has moved that point, I dunno). When I saw my little piggies starting to drop packets for real, the processor utilization was right on up there, so once the mandatory memory+tuning have been addressed I'd guess CPU might come next. Bus and NIC performance would make more difference on where the ceiling lies, I'd expect --- assuming you've got a NIC with a good OS driver that doesn't chew the system up just watching the net, before snort even starts looking at the packets. Another factor would be the quality of the pcap lib. I don't know about Windows there. On Linux I've heard that the ring-buffered varient libpcap can be a win, although I've not used it myself (I designed our snort deployment to avoid needing to handle more than c. 50Mbps per box). -Bennett
Attachment:
_bin
Description:
Current thread:
- Gigabit NIC's and snort hardware required?? Zach Forsyth (Jun 05)
- Re: Gigabit NIC's and snort hardware required?? Roy S. Rapoport (Jun 05)
- Re: Gigabit NIC's and snort hardware required?? Bennett Todd (Jun 05)
- <Possible follow-ups>
- RE: Gigabit NIC's and snort hardware required?? Zach Forsyth (Jun 05)
- Re: Gigabit NIC's and snort hardware required?? Bennett Todd (Jun 06)
- RE: Gigabit NIC's and snort hardware required?? Zach Forsyth (Jun 09)