Snort mailing list archives

Re: [Snort-users] throughput of snort usually(and with specific rules)

From: Joel Esler <joel.esler () me com>
Date: Tue, 13 Apr 2010 09:32:48 -0400

Hello,

At Sourcefire, with our hardware, we have boxes that achieve a  
throughput of 20 gig a second.

For a non-appliance, It depends more on things, hardware, rules, ram,  
nic driver, etc.  For our appliances, we design our boxes for speed.

However, Snort doesn't have a speed hard stop.

--
Joel Esler
Sent from my iPhone

On Apr 13, 2010, at 3:33 AM, d a <xstoneheartx () yahoo com> wrote:

Hi, everybody

In a security project I want to make an IDS/IPS System based on  
snort but I have to satisfy employer and investors for my choice  
about Snort.

One of the problem that I have is about the input traffic rate/ 
throughput that snort can support and analyze with a good performance 
(Low CPU usage and packet drop).I know that it depends on a number  
of factors like the configuration of the system and which rules we  
are running as well as the underlying hardware and the OS  
configuration, But I want to know the normal range of its throughput.
Some where I read somebody wants to use it for 1-2 gb/s rate of  
traffic. Dose snort really works for xgb/s rate of input traffic  
without so much drop and high CPU usage?

In a book about snort that published in 2003(Intrusion detection  
with Snort By Jack Kozio ) that I think it's talking about  
snort-2.2  was wrote that snort works for 100Mb correctly and starts  
to loss packets in 200-300 Mb and can not run at traffic level  
higher than 500Mb. Does any body know about these numbers for  
snort-2.8.5?


The specification of my system that snort sensor is running on:
CPU : Intel core 2 duo 2.8GHz
RAM: 2-4 gig DDR2 KINGMAX
Hard:300 gig maxtor SATA
3 Ethernet Port 10/100

The network that I want to use system for includes more than 150  
systems with a traffic rate of 200 Mb/s or more.

and the snort configuration that I need includes:

enabling  preprocessors , and enabling rules to detect web & CGI  
attacks, Phishing attacks , malwares and spywares and some others.


I want to use snort with out any accelerators. If I had to use one,  
is there any open-Source accelerator for snort?


Another question that I have is about OS.I'm using Suse10.3, is it  
suitable for our security goals  or other OS like cent-OS,open- 
BSD, .. are more secure?


Thanks a lot for your helps.




--- 
--- 
--- 
---------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

throughput of snort usually(and with specific rules) d a (Apr 13)
- Re: [Snort-devel] throughput of snort usually(and with specific rules) Jules Disso (Apr 13)
- Re: throughput of snort usually(and with specific rules) L0rd Ch0de1m0rt (Apr 13)
- Re: [Snort-users] throughput of snort usually(and with specific rules) Joel Esler (Apr 13)