Snort mailing list archives
Re: Snort limitations
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Fri, 28 Mar 2014 16:26:15 +0000
Vernon definitely provided some good information and I would recommend checking out the link he provided. Most performance issues can attributed to running far to many rules, using poorly written rules, or large single stream flows. Also, you are completely right, in larger environments multiple Snort instances are utilized in order to gain better performance. Nick From: <Stark>, "Vernon L." <Vernon.Stark () jhuapl edu<mailto:Vernon.Stark () jhuapl edu>> Date: Thursday, March 27, 2014 at 7:58 PM To: nmavis <nmavis () cisco com<mailto:nmavis () cisco com>>, Ayoub Abid <abid.ayoub () gmail com<mailto:abid.ayoub () gmail com>>, snort-users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>, "snort-openappid () lists sourceforge net<mailto:snort-openappid () lists sourceforge net>" <snort-openappid () lists sourceforge net<mailto:snort-openappid () lists sourceforge net>> Subject: RE: [Snort-users] Snort limitations Ayoub, You may want to look at tuning Snort to improve performance. Steven Sturges wrote a great document on tuning Snort (http://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pdf). An example parameter that can be modified is server_flow_depth. Depending upon the characteristics of traffic on your network, a change in this parameter may make a very large difference in how Snort performs. Also, as Nick indicates below, more CPU and memory may be required to achieve adequate performance in your environment. I suspect most environments run Snort on hosts with many processors and a large amount of memory and divide the network traffic among multiple instances of Snort. Vern From: Nicholas Mavis (nmavis) [mailto:nmavis () cisco com] Sent: Thursday, March 27, 2014 6:37 PM To: Ayoub Abid; snort-users; snort-openappid () lists sourceforge net<mailto:snort-openappid () lists sourceforge net> Subject: Re: [Snort-users] Snort limitations Ayoub The performance of Snort depends on the resources available on the machine running it. The more traffic you have, the more resources (CPU/memory) you will need to have available for Snort. Nick From: Ayoub Abid <abid.ayoub () gmail com<mailto:abid.ayoub () gmail com>> Date: Thursday, March 27, 2014 at 4:32 AM To: snort-users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>, "snort-openappid () lists sourceforge net<mailto:snort-openappid () lists sourceforge net>" <snort-openappid () lists sourceforge net<mailto:snort-openappid () lists sourceforge net>> Subject: [Snort-users] Snort limitations Hello I want to discuss here about how far can we trust snort to secure our network. Have snort some limitations ? I have tested snort for a couple a weeks. He detects attacks when we have normal traffic. But When we have a huge traffic like 2000 pak/ sec , he make a big delay to scan all the traffic and detect the Intrusion. For example, i can have an attack now and he will report it in 10 or 15 min. So what are the Limits of snort to detect attacks? Thank you Ayoub
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort limitations Ayoub Abid (Mar 27)
- Re: Snort limitations Nicholas Mavis (nmavis) (Mar 27)
- Re: Snort limitations Stark, Vernon L. (Mar 27)
- Re: Snort limitations Nicholas Mavis (nmavis) (Mar 28)
- Re: Snort limitations Stark, Vernon L. (Mar 27)
- <Possible follow-ups>
- Re: Snort Limitations Maxwell, Jamison [HDS] (Mar 28)
- Re: Snort limitations Nicholas Mavis (nmavis) (Mar 27)