Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Where is the bottleneck?

From: "Yiming Gong" <yiming () security zz ha cn>
Date: Fri, 16 May 2003 11:27:41 +0800
One thing you must keep in mind ~ snort will ignore any stateless tcp
connection.
 
 
Best wishes!

--
我要更好的生活

Yiming Gong
Technical Manager
Office:086-10-66001133-5653
China Telecom System Integration Co.Ltd.

E-mail:yiming () security zz ha cn
 <http://security.zz.ha.cn/> http://security.zz.ha.cn

-----邮件原件-----
发件人: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] 代表 方 磊
发送时间: 2003年5月16日 10:48
收件人: Snort-users () lists sourceforge net
主题: [Snort-users] Where is the bottleneck?


I did some simple tests on snort on-line detection capacity yesterday. 
I check a tcpdump data with only 37 kinds of attacks.First, I turn off
all useless precessors, indeed only frag2 and telnet remain
opening.Snort2.0 check this data "off-line" with only 37 rules. There
find about 7700 events in about 5 seconds. Then I inject the tcpdump
data by tcpreplay from my traffic producer and detect the traffic on my
sensor. 
Here are the detected events with different traffic rates:
150M   3522
100M   3791
80M    3851
50M    3941
20M    4163
10M    4271
 
I can not understand why snort can not find most events even in very low
speed.
I think it may be problem of my machines.
 
My traffic producer is Intel 1.4G, 256RAM, Redhat 9.0, E1000 NIC.
My snort sensor is Intel 2.4G, 512RAM, Redhat 9.0, E1000 NIC.
Where is the bottleneck?
How can I to detect all the events on-line?
 

Thanks very much.

  _____  

使用 MSN Messenger  <http://g.msn.com/8HMMCNCN/2734??PS=> 与联机的朋友进
行交流 -------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: