Snort performance (was Re: Help with where to place ...)

[Bennett Todd <bet () rahul net>]

2002-06-19-06:45:31 Poppi, Sandro:
> I think snort can handle GB when the snort box and snort is highly
> tuned (not tested full GB speed yet).

I've not yet done enough testing to have a real feel for this from
my own experience, but from what I've read and been told by others,
I get the impression that snort, on a modern hot box (>>1GHz CPU,
512MB or more RAM), run with -A fast -b, can handle

        - c. 50Mbps easily with the default sigs and config;
        - >100Mbps with suitably careful tuning (careful placement,
          careful and appropriate customization of HOME_NET, good
          choice of interface card, etc.)
        - up to possibly 250-300Mbps flat out max without exotic
          custom hardware, limited by ability of the system to
          unload packets out of the interface buffer; to hit this
          range you have to be very very carefully tuning the
          signature set to include only the handful of signatures
          you're really critically interested in.

Unless there's been a breakthrough I haven't heard about, neither
Snort nor any other NIDS running under a general-purpose OS on
general-purpose hardware can be expected to run greater than c.
300Mbps no matter how tightly you tune it.

I try very hard to plan my deployments so that traffic passing the
snort sensor is cleaned up by the outer layers of the firewall plant
--- i.e. I place snort inside the proxy layer --- so that it doesn't
have to deal with fragments and deliberate IDS-DoS attacks and
failed attacks; and I try to plan things so that I don't expect more
than 50Mbps to pass by snort's nose.

While additional engineering effort can crank the levels up, I'm not
wildly happy about increasing my manpower costs to buy just a factor
of 2-4 performance boost. So far I've been able to keep the
aggregate traffic down. If I should be unable to sometime in the
near future, before snort (or PC hardware) performance improvements
crank up to where I need, I expect I'd be shopping for a device that
uses custom hardware to wind the performance way up.
<URL:http://www.intruvert.com/> claim to be doing this, there are
probably other companies competing in these realms as well.

The other approach that people recommend for hitting the Gbps range
is to use a special sort of loadbalancer, e.g.
<URL:http://www.toplayer.com/>, to schmear the traffic out over a
snort farm. Again, the engineering expense of creating and
maintaining such a beast puts me off.

This is a field that's developing so very very rapidly that it seems
like a good idea to postpone big purchases as long as possible; if
you can make do with what Snort can easily accomplish now, and worry
about higher performance later, that's probably the best approach.

Most folks confine their snort needs to its current performance
abilities by deploying it on the perimeter; very few shops actually
sustain >50Mbps outside (links that fast are pretty dear).

Intruvert (and, I expect, their competitors whoever they are) are
focused more on delivering IDS throughout your core networks, where
snort (and ISS, and NFR, and ...) can't reach the needed
performance.

-Bennett

Attachment: _bin
Description: