Snort mailing list archives
RE: Snort and high performance networks
From: "Rafael Ortega" <rafael.ortega () telecarrier com>
Date: Fri, 21 May 2004 14:05:36 -0500
I've tried both FreeBSD and now Linux without doing any modification to the kernels. I'll admit that my information might be wrong, but that is what I'm sniffing according to the switch interface I'm using to monitor the traffic. As for the snort performance, I base my numbers on the output snort gives when you stop it. Can somebody sugest a better way to get more accurate results. The hardware is a stock Dell (rackmount series, 26xx can't remember exactly and I'm not close to it right now) with dual Xeon 2.4GHz and 1 GB of RAM. Of course, I see that I'm wrong (can't be 800Mbits if I'm using 100Mbit interfaces). Doh! I will repost with the correct numbers when I get them. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort user Sent: viernes, 21 de mayo de 2004 10:59 To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort and high performance networks Hi, Ive snipped out some of the recent posts to this thread. Weve been doing extensive research into snort speeds at my University and to me it seems like these 2 posts are completely innaccurate and absurb. Chad claims to capture all traffic with all rules and preprocessors with a $2500 piece of hardware, while if you buy a $50,000 solution from Sourcefire(home of the creator of snort) you can only get 1 Gig and they disable rules and preprocessors (http://osec.neohapsis.com/results/nids/sourcefire-ns3020f-2.6-06.25.2003/pr oductinfo.html). And then when Chris asked you your specs on your box you differ him to TopLayer. Even getting 800 Mb/s as Rafael said is not impossible but really is not feasible without hardcore kernel modifcation and maybe even silicon chips and ASIC cards. Would either of you like to share how your able to do this, I mean the technologies and hardware you using? Also how do you verify these results? -- UoC -- -- snip Rafael Ortega--
I'm currently snorting close to 800Mbps with no problem. What to do with the amount of info, is another story. I tried ACID, but after 24 hours and 700,000 events registered, the data base becomes too slow, even after indexing certain reference fields.
-- end snip -- -- snip Kreimendahl, Chad --
FWIW... I've got systems that are easily handling between 3-4Gbps each. That's partially hardware, partially OS, and a little tiny config work. Very near to all rules enabled on these interfaces, as well as all of the preprocessors (minus the broken ones), and a database output plugin. 0 dropped packets. If you check the archives for this list, you'll find discussions about kernels that can do polling against network devices, and how this enhances snort performance on high speed links (network performance in general, really). I believe I mention the OSes, maybe some config info and hardware used.
-- end snip -- _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort and high performance networks, (continued)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
- Re: Snort and high performance networks Christopher Rapier (May 20)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
- Re: Snort and high performance networks Chris Rapier (May 20)
- RE: Snort and high performance networks Rafael Ortega (Jun 01)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
- RE: Snort and high performance networks Rafael Ortega (May 21)
- Re: Snort and high performance networks Jason Haar (May 23)
- RE: Snort and high performance networks snort user (May 21)
- Re: Snort and high performance networks Christopher Rapier (May 21)
- RE: Snort and high performance networks Rafael Ortega (May 21)
- Re: Snort and high performance networks snort user (May 21)
- RE: Snort and high performance networks SN ORT (May 21)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 21)
- Re: Snort and high performance networks Aaron (May 24)
- High Speed Network Cards + rules? Adriel T. Desautels (May 24)
- Re: High Speed Network Cards + rules? Keith W. McCammon (May 24)
- Re: High Speed Network Cards + rules? Christopher Rapier (May 24)
- Re: High Speed Network Cards + rules? Matt Kettler (May 24)
- Re: High Speed Network Cards + rules? James Riden (May 24)
- Re: High Speed Network Cards + rules? James Riden (May 25)
- High Speed Network Cards + rules? Adriel T. Desautels (May 24)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)