Re: stream4 performance problems

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hello Marty,

An Athlon XP 2000+ and 512MB RAM. IBM HD 7200RPM,
Gbit Intel NIC...

I were doing some tests with Nessus expermenting with
NIDS evasion techniques. "Split" seems to be no
problem for Snort but with "injection" I had to
disable stateful inspection in order to achieve
better performance.

If I do that, Snort is having no problems up
to 130Mbit/sec. I could not test it faster,
because tcpreplay seems not to be able to send
the packets faster than that. I don't know if that
is a libnet or tcpreplay restriction.

It wonders me indeed, because I thought that
especially against such evasion techniques
the stateful inspection should be used.

Kind regards,

Edin


Martin Roesch wrote:
> What hardware/OS are you running on?  Sounds like it's fairly modest if 
> it's having a tough time with 10Mbps...
>
>      -Marty
>
>
> On Tuesday, February 25, 2003, at 08:29  AM, Edin Dizdarevic wrote:
>
> > Hello everybody
> >
> > During my performance tests I've noticed, that
> > using stream4 preprocessor can slow down the
> > performance really badly in fast networks (over
> > 10Mbit/s).
> >
> > Is anybody else having similar problems?
> >
> > Is there any other solution to solve the problems
> > of TCP-reassembly?
> >
> > A proxy should help, since reassembly must be done there.



--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users