Re: How much can snort Snort?

[Phil Wood <cpw () lanl gov>]

On Mon, Apr 15, 2002 at 02:47:33PM -0700, Kevin L Pawloski wrote:
> I've seen several discussions about gig interfaces lately but I haven't
> seen any recent posts about benchmarks for gig snorting performance of
> late.
>
> How much traffic can a Snort box pull w/o dropping a high amount of
> packets? I'm more concerned about the box's performance and not any
> issues with the actual gig interface itself.

Depends on the rule sets, the cpu's, the libpcap implimentation, and
the actual traffic mix on the Gig interface (among other things like
disk, and what kind of post processing you might be doing).  It might
be useful to come up with a standard performance analysis configuration:

   1. hardware description (cpu(s), memory, bus speeds, disk features)
   2. characterization of actual traffic (sometimes available via snmp
      queries from routers involved, or, if using my libpcap you could
      get fairly precise stats, or on linux, you could watch the interface
      stats by iterating on the contents of /proc/net/dev, ...).
   3. standard, cast in stone rule set.
   4. output to pcap file only (no other output plugins involved)
   5. 5 days (Monday through Friday).
   6. software involved: libpcap version, snort version, ?
   7. more stuff?

If I just collect the first 68 bytes of IP (tcp, udp, and icmp) packets
using tcpdump I can lose packets or not up to 100 Mbps.  It depends usually
on the burst rate peaks during the sample period.  If I use snort, and then
add lots of rules that check all packets for massive quantites of string
contents, snort cannot get back (off the callback) in time to get the
next packet.  Especially if I've included mysql or other output processes.
If I add shared memory buffers, I do fine up to the limit of the ring size,
then I'm poking along just like everyone else, until the pps drops down to
somethin I can handle (given the mix of content rules, (or none at all),
etc, ad-infinitum).

> Perhaps some of you Snortters could give me an estimate on performance
> for this sample box:
>
> Dual 700mhrz RedHat 7.2 System with 2GB of RAM - Gig Interface and SCSI

Gighrz is better.  SCSI good.  What kind of memory?  What are your bus speeds?

(not that I could answer question with those parameters, they are some of
the things that contribute to performance.)

> HD.

Does your libpcap have a version?  Is it "turbo"?

> If anyone wants to take this discussion off-line I'd be more than happy
> to talk.
>
> Thanks in advance.
>
> Kevin
>
> ________________________________________________________________
> GET INTERNET ACCESS FROM JUNO!
> Juno offers FREE or PREMIUM Internet access for less!
> Join Juno today!  For your FREE software, visit:
> http://dl.www.juno.com/get/web/.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users