Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How much can snort Snort?

From: Mipam <mipam () ibb net>
Date: Tue, 16 Apr 2002 01:43:27 +0200
On Mon, Apr 15, 2002 at 05:13:35PM -0600, Phil Wood wrote:

On Mon, Apr 15, 2002 at 02:47:33PM -0700, Kevin L Pawloski wrote:

I've seen several discussions about gig interfaces lately but I haven't
seen any recent posts about benchmarks for gig snorting performance of
late.

How much traffic can a Snort box pull w/o dropping a high amount of
packets? I'm more concerned about the box's performance and not any
issues with the actual gig interface itself.



Depends on the rule sets, the cpu's, the libpcap implimentation, and
the actual traffic mix on the Gig interface (among other things like
disk, and what kind of post processing you might be doing).  It might
be useful to come up with a standard performance analysis configuration:

   1. hardware description (cpu(s), memory, bus speeds, disk features)
   2. characterization of actual traffic (sometimes available via snmp
      queries from routers involved, or, if using my libpcap you could
      get fairly precise stats, or on linux, you could watch the interface
      stats by iterating on the contents of /proc/net/dev, ...).
   3. standard, cast in stone rule set.
   4. output to pcap file only (no other output plugins involved)
   5. 5 days (Monday through Friday).
   6. software involved: libpcap version, snort version, ?
   7. more stuff?

If I just collect the first 68 bytes of IP (tcp, udp, and icmp) packets
using tcpdump I can lose packets or not up to 100 Mbps.  


Nice answers and i agree, though, with tcpdump, which i also love to use,
i mostly use the -n so no names are resolved, it helps a lot.
And using the -w option helps, though .... you need
to have fast disks, and a good implementation on how to use 'm
and a nice fs to cope with gigabit or more, basically, also kernel
stuff is so important as many other things which you describe :-)
In general i guess, deploying ids machines
is an art on itself and requires a lot of tweeking aside from
writing the rulesets itself. Though, the same
holds for firewalls, routers etc :-)
Bye,

Mipam.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: