Re: 答复: Could anyone share the performance data of Snort3.0 IDS

["Sunyi LIu" <sunnysunny128 () 163 com>]

hi ,
   Appreciate for your help, I will hava a try.
Br
sunny




At 2017-01-11 18:20:28, "Russ" <rucombs () cisco com> wrote:
Snort 3.0 does process packets differently than Snort 2.X and you will better performance for equivalent 
configurations.  To get more performance, use hyperscan.  And to get best performance, use service rules like alert 
http (not yet available from Talos).

As far as we know, the new http_inspect works very well and is a huge improvement over the old one.  Of course, it is a 
major new piece of code and we are actively working to improve it.  If you are aware of any issues, please send the 
details to bugs () snort org.

Thanks
Russ


On 1/10/17 8:00 PM, Nacht Z wrote:


Hi:

     I have test snort 2.9 (single thread, with CPU Intel(R) Xeon(R) CPU E5-2640 v2 @ 2.00GHz) with 1900 rules. It can 
only handle flow less than 300Mbps. So if the snort does not change it's way to analyse packets in snort 3, it may be 
hard to reach 10Gbps in multi-thread snort 3.0.  

     What's more, one of my mate told me that he found http_inspector couldn't work in snort 3.0.0-a4. So I'm afraid 
that if you want to use the alpha snort 3, you may need to test it's functions.

                                                                                                                        
                                                                                               NachtZ

                                                                                                                        
                                                                                               01/11/2017




发件人: Sunyi LIu <sunnysunny128 () 163 com>
发送时间: 2017年1月10日 16:56
收件人:snort-devel () lists sourceforge net
主题: [Snort-devel] Could anyone share the performance data of Snort3.0 IDS
 
hi,
  We are working on a 10Gbps IDS plan, could anyone share the performance data of Snort3.0 in IDS mode . Let's say we 
have such as 1000 rules .
And we could fingure out if we can make good use of Snort3.0. 
Thanks.


BR
sunny 




 




------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi



_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!