Re: Snort limitations

["Nicholas Mavis (nmavis)" <nmavis () cisco com>]

Vernon definitely provided some good information and I would recommend checking out the link he provided. Most 
performance issues can attributed to running far to many rules, using poorly written rules, or large single stream 
flows.

Also, you are completely right, in larger environments multiple Snort instances are utilized in order to gain better 
performance.

Nick

From: <Stark>, "Vernon L." <Vernon.Stark () jhuapl edu<mailto:Vernon.Stark () jhuapl edu>>
Date: Thursday, March 27, 2014 at 7:58 PM
To: nmavis <nmavis () cisco com<mailto:nmavis () cisco com>>, Ayoub Abid <abid.ayoub () gmail com<mailto:abid.ayoub () 
gmail com>>, snort-users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>, 
"snort-openappid () lists sourceforge net<mailto:snort-openappid () lists sourceforge net>" <snort-openappid () lists 
sourceforge net<mailto:snort-openappid () lists sourceforge net>>
Subject: RE: [Snort-users] Snort limitations

Ayoub,

You may want to look at tuning Snort to improve performance.  Steven Sturges wrote a great document on tuning Snort 
(http://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pdf).  An example parameter that can be 
modified is server_flow_depth.  Depending upon the characteristics of traffic on your network, a change in this 
parameter may make a very large difference in how Snort performs.

Also, as Nick indicates below, more CPU and memory may be required to achieve adequate performance in your environment. 
 I suspect most environments run Snort on hosts with many processors and a large amount of memory and divide the 
network traffic among multiple instances of Snort.

Vern

From: Nicholas Mavis (nmavis) [mailto:nmavis () cisco com]
Sent: Thursday, March 27, 2014 6:37 PM
To: Ayoub Abid; snort-users; snort-openappid () lists sourceforge net<mailto:snort-openappid () lists sourceforge net>
Subject: Re: [Snort-users] Snort limitations

Ayoub

The performance of Snort depends on the resources available on the machine running it. The more traffic you have, the 
more resources (CPU/memory) you will need to have available for Snort.

Nick

From: Ayoub Abid <abid.ayoub () gmail com<mailto:abid.ayoub () gmail com>>
Date: Thursday, March 27, 2014 at 4:32 AM
To: snort-users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>, "snort-openappid 
() lists sourceforge net<mailto:snort-openappid () lists sourceforge net>" <snort-openappid () lists sourceforge 
net<mailto:snort-openappid () lists sourceforge net>>
Subject: [Snort-users] Snort limitations

Hello


I want to discuss here about how far can we trust snort to secure our network. Have snort some limitations ?

I have tested snort for a couple a weeks. He detects attacks when we have normal traffic. But When we have a huge 
traffic like 2000 pak/ sec , he make a big delay to scan all the traffic and detect the Intrusion. For example,  i can 
have an attack now and he will report it in 10 or 15 min.

So what are the Limits of snort to detect attacks?

Thank you
Ayoub

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!