Snort mailing list archives

RE: Snort Performance

From: "Laura" <uy38698 () adinet com uy>
Date: Fri, 26 Mar 2004 14:54:40 -0300

Do you have any idea how many MB of traffic do u have on those networks?
Because That's one of my bigest concerns.

-----Mensaje original-----
De: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] En nombre de
Mark.Schutzmann () Omron com
Enviado el: Viernes, 26 de Marzo de 2004 11:47 a.m.
Para: Laura
CC: snort-users () lists sourceforge net
Asunto: Re: [Snort-users] Snort Performance



Laura,

I've got a similar scenario of monitoring 9 networks.  I'm using an IBM
x225 with dual 2GB CPUs, 1.5GB RAM, and 54GB RAID 1E, Intel 1GB Fiber
NICs. Snort 2.1.1 on RH9 2.4.20-30.9smp. Below are my stats from Snort
this morning after running for about 6 hours. This is a new install with
most rules enabled. Hope that helps.


Mar 26 08:47:21 OEI-RHLXSnort snort:
========================================================================
======= 
Mar 26 08:47:21 OEI-RHLXSnort snort: Snort analyzed 233502292 out of
233645312 packets, Mar 26 08:47:21 OEI-RHLXSnort snort: dropping
143020(0.061%) packets Mar 26 08:47:21 OEI-RHLXSnort snort: Breakdown by
protocol: Action Stats:
Mar 26 08:47:21 OEI-RHLXSnort snort:     TCP: 231098202  (98.910%)
ALERTS: 16779
Mar 26 08:47:21 OEI-RHLXSnort snort:     UDP: 571323     (0.245%)
LOGGED: 16814
Mar 26 08:47:21 OEI-RHLXSnort snort:    ICMP: 506038     (0.217%)
PASSED: 0
Mar 26 08:47:21 OEI-RHLXSnort snort:     ARP: 74367      (0.032%)
Mar 26 08:47:21 OEI-RHLXSnort snort:   EAPOL: 0          (0.000%)
Mar 26 08:47:21 OEI-RHLXSnort snort:    IPv6: 0          (0.000%)
Mar 26 08:47:21 OEI-RHLXSnort snort:     IPX: 28         (0.000%)
Mar 26 08:47:21 OEI-RHLXSnort snort:   OTHER: 1109115    (0.475%)
Mar 26 08:47:21 OEI-RHLXSnort snort: DISCARD: 0          (0.000%)
Mar 26 08:47:21 OEI-RHLXSnort snort:
========================================================================
======= 

Mark


 

                      "Laura"

                      <uy38698 () adinet com uy>             To:
<snort-users () lists sourceforge net>

                      Sent by:                            cc:

                      snort-users-admin () lists sour        Subject:
[Snort-users] Snort Performance

                      ceforge.net

 

 

                      03/26/2004 10:30 AM

 

 





I'm thinking about placing an NIDS (linux box running red hat 8 with
snort v 2.0.2 + acid 0.9.6) on a 2950 sw where not only all the traffic
from all the companies goes by but also where the carriers connections
ends.

Monitoring about 8 interfaces, the amount of traffic that it will see is
going to be really big.

Does anyone have any experience using snort in a critical point of the
network, loading lots of traffic. I'm interested in information about
performance, hardware of the machine used (type of card, amount of
memory, processor, etc) and comments tips or best practices in order to
minimize the possible problems of any kind.

TIA

Laura








-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Performance mik sib (Jan 09)
- <Possible follow-ups>
- Snort performance SN ORT (Feb 02)
  - RE: Snort performance Michael Steele (Feb 02)
- Snort Performance Laura (Mar 26)
  - RE: Snort Performance Jim Hendrick (Mar 26)
  - Re: Snort Performance Rodrigo B. Ramos (Mar 26)
- Re: Snort Performance Mark . Schutzmann (Mar 26)
  - RE: Snort Performance Laura (Mar 26)