Snort mailing list archives
RE: Approximate bandwidth performance running Snort
From: "Arseneault, Thomas (HQP)" <thomas.arseneault () rhi com>
Date: Fri, 22 Apr 2005 11:00:38 -0700
There was a thread a little while ago (check the archives) in which it was also determined that not all hardware is created equal. The same specs on boards by different manufactures made a big difference. I don't recall if a "best of breed" was chosen but the thread should help figuring out how to pick the best hardware. Tom Arseneault Security Engineer Robert Half International -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt Kettler Sent: Friday, April 22, 2005 10:39 AM To: Tristan RHODES Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Approximate bandwidth performance running Snort Tristan RHODES wrote:
Assume I buy a new dual-processor (Xeon or Opteron) server with 2 GB of
RAM and SCSI disks. I plan on installing multiple gigabit network cards. How much bandwidth can I expect a default installation of Snort to handle? 1 Gbps? 2 Gbps? More? Less? Thanks,
I'd venture a guess at somewhere between 500mbps and 1g, however that's a wild guess and making a lot of assumptions. I'll also make the disclaimer that I've never tried to set up a high-performance snort box before, so take my comments here as being highly anecdotal. In general IDS performance is a fairly ambiguous thing to measure, as there are a LOT of factors that matter just as much, if not more than CPU/disk/ram. Traffic type matters. Blasting packets by on some oddball port that only the "any" port rules are going to inspect is a lot different than blasting http traffic by that the http_inspect preprocessor is going to look at, followed by a large number of content, uricontent and pcre rules. 1Gbps worth of large packets is much easier to handle than 1Gbps worth of tiny packets. There's also a large impact from your surrounding software. OS, pcap libraries, etc can have a truly huge impact on snort performance. There will be a large performance difference between a Windows box with winpcap compared with a *nix box using Phil wood's ring buffer pcap library on a kernel that's tuned for low latency with various preemption patches. The ring buffered pcap library alone makes a huge impact. I haven't seen any numbers, but I would not be surprised to hear the impact was in the +25% to +50% range in terms of peak data rate before packet drop compared to a classic pcap library. I doubt you'll break into the 2gig range without some packet loss. In order to break into the 2-8 gig range, the sourcefire IS5800 is using hardware asics to accelerate their system. That gives me the impression that hitting 2gig is hard to do with conventional hardware. AFAIK the IS3000 doesn't use any custom hardware, just extensive tuning and customization. It manages to get 0% drop rate at 1Gbps. IMO, if you can match what the SF guys can do with their extensive tuning and intimate knowledge of snort, then you're doing very well. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Approximate bandwidth performance running Snort Tristan RHODES (Apr 22)
- Re: Approximate bandwidth performance running Snort Matt Kettler (Apr 22)
- <Possible follow-ups>
- RE: Approximate bandwidth performance running Snort Arseneault, Thomas (HQP) (Apr 22)