Snort mailing list archives
Re: snort sp for 10GE link
From: Martin Holste <mcholste () gmail com>
Date: Thu, 25 Aug 2011 08:34:35 -0500
None of the GPU-based stuff is ready for primetime. There was a project a few years ago called Gnort which used GPU's, but that ended and code was never released. As you've pointed out, Suricata's GPU implementation is not efficient and therefore not an option. You can do software load balancing of Snort with PF_RING. I have a short write-up on how to do this here: http://ossectools.blogspot.com/2011/07/running-load-balanced-snort-in-pfring.html . My general rule of thumb is you need 1 CPU per 1000 rules per 100 Mbit of traffic, so at 1000 Mbit, you can only run 10 rules per CPU. However, at that speed, the preprocessor performance becomes a major factor. At 10 Gbit, you are down to 1 rule per CPU, assuming that your preprocessors (like HTTP, DCE, etc.) can keep up (which they cannot). So, you may be able to inspect 10 Gbit of DCE/SMB traffic, but I doubt you can inspect 10 Gbit of HTTP or SMTP traffic at wirespeed. If you really have a saturated 10 Gbit connection, you are probably better off with a hardware load-balancer and setting up a cluster of machines. A much better approach would be to limit the scope of the traffic you want to inspect to get it down to more like 1-2 Gbps, which is still quite a challenge to inspect without drops, even with a very limited rule set. On Thu, Aug 25, 2011 at 7:45 AM, ahmad reza noroozi <ahmadrezanoroozi () gmail com> wrote:
I am to make an IDS for 10GE links I was used snort for recent years I want to know everybody has performance testing for snort sp for high bandwidth? can it to handle above 5000,000 concurrent session at hig speed rate(for example in stream5 processors) as you may know suricata is able to use from GPU but multithreading in it is not efficient. I want to use from GPU (graphic processing unit) tesla cards to accelerate snort for 10GE link. is there any performance testing for a multiple core system speed up for snort sp? is it better to accelerate with GPU or with multi core system? I am very interesting to Martin Roesch and happy to he also answer me ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort sp for 10GE link ahmad reza noroozi (Aug 25)
- Re: snort sp for 10GE link Martin Holste (Aug 25)