Re: snort breakdown

[Bennett Todd <bet () rahul net>]

2003-04-21T17:06:43 Hanumantha R. Manchala:
> I have problems doing stress test on snort. I would like to find at what
> speeds snort starts dropping packets. I am using tcpreplay to send packets
> from a tcpdump file at 50Mbps. I am sending packets from two machines at
> 50Mbps. Snort is running on a third machine. All these machines are
> connected using a serial cable. None of them is on the Internet.

Note that two senders at 50Mbps/ea is 100Mbps, and a straightforward
system running snort in the most obvious way won't keep up. You'll
need a hot box or a tuned snort to do 100Mbps. 50Mbps is more
typical for an untuned snort on typical iron.

When you say "serial cable", I'm going to assume you actually mean a
100baseT crossover cable. If you mean something different, speak up.

It's also important what sort of NIC you have; there are NICs
well-supported by various OSes and NICs that aren't.

Tell us too about your hardware platform. Is this a 386SX-16? or a
3GHz P4? What bus? How much memory?

What OS?

> First of all, I would like to know if the packets are being sent out at
> speeds tcpreplay claims are being sent at. How can find that? I tried
> using 'ifconfig -a'. But I could not figure it out. Is there a script or
> some tool that can help me do that?

Try running "netstat -i" before and after the experiment, comparing
the packet counts.

> Secondly, How can I find out the rate of capture of packets on the machine
> running snort?

The capture rate depends on the system load. You'll capture the most
packets if you do nothing with any of them. Turn off all the
preprocessors and knock out all the rules, and you'll have the
fastest possible snort. If any non-trivial fraction of your packets
trigger alerts, you won't be able to sustain anywhere near an
interesting rate --- alerts are very dear. Most packets must fail
all tests to really hit hot packet rates.

> Thirdly, What is the way to find out the speeds at which snort starts
> dropping packets?

Ramp up transmission rate until the number of packets processed (as
reported by snort when you kill it with -USR1) begins to drop
significantly below the number of packets you sent (tcpreplay sends
all its packets).

> 1) All my machines are Pentium 4 (1.8GHz) running Redhat 9.0 .
> 2) I am using snort-1.9.1

With good NICs? If you're on normal PCI bus, then you'll still need
to tune your snort so it hs attempting few alerts over the course of
your speed run, but barring excessive alerts (or other dementedly
expensive games like direct logging to an RDBMS) you should be able
to swing 100Mbps without too painful of tuning on that lashup.

For benchmarking run snort with -A fast -b.

-Bennett

Attachment: _bin
Description: