Snort mailing list archives
Re: "Making Snort go fast under Linux..."
From: "Mark W. Jeanmougin" <mark.jeanmougin () cchmc org>
Date: Thu, 25 Feb 2010 08:25:31 -0500
Randy, This is something that I struggle with as well. I've been using just apache / wget and nfsd / dd as ways to generate large loads. The HUGE problem with this is that it is very uninteresting traffic. Using the above methods on my new workstations, I can saturate a 10 Gbit / sec link consistently. I do have a small library of malicious pcaps. So, I'll use the previous methods to generate a "background load" and then replay the pcaps on another interface. Finally, I have pcaps covering a few hours of "normal" network activity from the locations where we have / will have IPS sensors. So, I'll replay those to see what gets caught. The problem there is that the contents of those pcaps are unknown; I don't know how much malicious traffic is in there, nor what kinds of malice. I'm really curious to see what others are doing in this world. I think this is a problem that many of us face. Thanks, MJ On 02/24/2010 11:40 AM, Randal T. Rioux wrote:
You mentioned performance may be enhanced by using different compilers/flags. I'm going to run some tests using different setups (OS, compiler collection, etc). Can anybody suggest an ideal way to beat the Hell out of a Snort box? I'd like to analyze as large a dataset as possible containing a large amount of detectable malware/sig triggers. Something that can sustain 1Gb of traffic for approx. five minutes. I have the storage, systems and bandwidth in my lab to do fiber, copper, multiple platforms and operating systems.
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
- Re: "Making Snort go fast under Linux..." Randal T. Rioux (Feb 24)
- Re: "Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
- Re: "Making Snort go fast under Linux..." beenph (Feb 24)
- Re: "Making Snort go fast under Linux..." Ronny Vaningh (Feb 24)
- Re: "Making Snort go fast under Linux..." Mark W. Jeanmougin (Feb 25)
- Re: "Making Snort go fast under Linux..." Edward Bjarte Fjellskål (Feb 24)
- Re: "Making Snort go fast under Linux..." Crook, Parker (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Chan, Wilson (Feb 24)
- Re: "Making Snort go fast under Linux..." Randal T. Rioux (Feb 24)