Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Performance Measurement

From: abed mohammad kamaluddin <abedamu () gmail com>
Date: Fri, 14 Jun 2013 20:20:33 +0530
Hi,

There are lot of vendor claims about IDS performance (including of
snort) of  ranging from anything from 1 to 40Gbps to 100 Gbps inline.

What is the standard method to benchmark snort(or any IDS)- what type
of traffic, number of rules & conf ? Are there any standard tools -
OSS or commercial ? I am aware of some commercial ones like IxLoad
attack/ avalanche etc. - not sure how effective/standard they are.
Metaspoilt etc. can be used for functionality testing but not for perf
tests.

I believe the industry normally uses ip-mix pcaps - however the
numbers are heavily pcap dependent and can be twisted to suit
particular scenarios. Is there any set criteria/ standard datasets for
measuring performance of IDS which you use at source-fire ? For
example between different versions of snort, I have seen variations
when using the same set of rules, conf and traffic.

However what should be the ideal traffic mix to test vendor claims?
Are there any recent data-sets apart from the DARPA data-sets and
which can be used as benchmarking traffic? For specific site
deployments,  snapshot of traffic from the site can be used - but what
should be used in the general case?

I agree that basic criteria to evaluate IDS should be the security it
provides & stability, however for customers, performance numbers is
one of the basic criteria as they look at IDS in the same way they
have been  looking at firewalls or routers.

Any pointers would be appreciated.

Thanks,
--
Abed M K
Cavium Inc

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: