Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort on large loads

From: Dragos Ruiu <dr () kyx net>
Date: Thu, 6 Dec 2001 17:59:58 +0000

Well I know that several large commercial sites are using snort on OC-12's
at 622 Mbps on xeons without packet loss according to their claims, so I 
wouldn't expect any issues with T3/DS3/OC1 at 45Mbps on modern hardware 
or even saturated fast ethernet at 100Mbps.  45 Mbps should barely make 
your snort sensor break a sweat.  Your mileage with other IDSes may vary :-).

I think, as all the IDS vendors will eventually discover and the trade press
will someday clue into, at higher rates, the problems do not lie only in the 
IDS software per se, as much as the interface drivers and OS architectures
and that oh so fun PCI transfer and DMA interrupt bottleneck.

The short answer is snort scales very well, thank you very much. Your mileage
with capture subsystems may also vary :-).

cheers,
--dr

On Thu, 06 Dec 2001 19:37:22 -0500
Don Heffernan <donheff () cais net> wrote:


I use Snort at home and have been impressed with what I read about what 
"real" folks are doing with it on this list.  I sent my firewall guy at 
work an article I saw referenced on Slashdot.  Here is his question:
"...I am wondering about the ability of Snort to keep up with big loads, 
such as approaching 45 Megabits (downwind from a T3) on a FastEthernet 
or GigE segment.  I understand there are products out there that may be 
much more comprehensive than NFR or RealSecure, but I am not sure that 
Snort can scale to such loads (It may depend on the hardware you throw 
at it though..)  Any ideas on performance factors before Snort goes into 
what they are calling "sampling mode"  .."

Does anyone have answers I can share with him?  ---

-- 
Don Heffernan
heffernan.cais.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: