Snort mailing list archives

Re: stream4 performance problems

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 27 Feb 2003 08:42:12 -0500

Which version of snort are you using?


On Thursday, February 27, 2003, at 03:13 AM, Edin Dizdarevic wrote:


Hello Marty,

An Athlon XP 2000+ and 512MB RAM. IBM HD 7200RPM,
Gbit Intel NIC...

I were doing some tests with Nessus expermenting with
NIDS evasion techniques. "Split" seems to be no
problem for Snort but with "injection" I had to
disable stateful inspection in order to achieve
better performance.

If I do that, Snort is having no problems up
to 130Mbit/sec. I could not test it faster,
because tcpreplay seems not to be able to send
the packets faster than that. I don't know if that
is a libnet or tcpreplay restriction.

It wonders me indeed, because I thought that
especially against such evasion techniques
the stateful inspection should be used.

Kind regards,

Edin


Martin Roesch wrote:

What hardware/OS are you running on? Sounds like it's fairly modestif it's having a tough time with 10Mbps...

     -Marty
On Tuesday, February 25, 2003, at 08:29  AM, Edin Dizdarevic wrote:


Hello everybody

During my performance tests I've noticed, that
using stream4 preprocessor can slow down the
performance really badly in fast networks (over
10Mbit/s).

Is anybody else having similar problems?

Is there any other solution to solve the problems
of TCP-reassembly?

A proxy should help, since reassembly must be done there.




--
Edin Dizdarevic

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

stream4 performance problems Edin Dizdarevic (Feb 25)
- Re: stream4 performance problems Martin Roesch (Feb 26)
  - Re: stream4 performance problems Edin Dizdarevic (Feb 27)
    - Re: stream4 performance problems Martin Roesch (Feb 27)
    - Re: stream4 performance problems Edin Dizdarevic (Feb 27)
    - Re: stream4 performance problems Erek Adams (Feb 27)
    - Re: stream4 performance problems Chris Green (Feb 27)
    - Re: stream4 performance problems Martin Roesch (Mar 03)
    - Re: stream4 performance problems Edin Dizdarevic (Mar 03)
    - Re: stream4 performance problems Martin Roesch (Mar 16)