Snort mailing list archives
Re: [Snort-users] throughput of snort usually(and with specific rules)
From: Joel Esler <joel.esler () me com>
Date: Tue, 13 Apr 2010 09:32:48 -0400
Hello, At Sourcefire, with our hardware, we have boxes that achieve a throughput of 20 gig a second. For a non-appliance, It depends more on things, hardware, rules, ram, nic driver, etc. For our appliances, we design our boxes for speed. However, Snort doesn't have a speed hard stop. -- Joel Esler Sent from my iPhone On Apr 13, 2010, at 3:33 AM, d a <xstoneheartx () yahoo com> wrote:
Hi, everybody In a security project I want to make an IDS/IPS System based on snort but I have to satisfy employer and investors for my choice about Snort. One of the problem that I have is about the input traffic rate/ throughput that snort can support and analyze with a good performance (Low CPU usage and packet drop).I know that it depends on a number of factors like the configuration of the system and which rules we are running as well as the underlying hardware and the OS configuration, But I want to know the normal range of its throughput. Some where I read somebody wants to use it for 1-2 gb/s rate of traffic. Dose snort really works for xgb/s rate of input traffic without so much drop and high CPU usage? In a book about snort that published in 2003(Intrusion detection with Snort By Jack Kozio ) that I think it's talking about snort-2.2 was wrote that snort works for 100Mb correctly and starts to loss packets in 200-300 Mb and can not run at traffic level higher than 500Mb. Does any body know about these numbers for snort-2.8.5? The specification of my system that snort sensor is running on: CPU : Intel core 2 duo 2.8GHz RAM: 2-4 gig DDR2 KINGMAX Hard:300 gig maxtor SATA 3 Ethernet Port 10/100 The network that I want to use system for includes more than 150 systems with a traffic rate of 200 Mb/s or more. and the snort configuration that I need includes: enabling preprocessors , and enabling rules to detect web & CGI attacks, Phishing attacks , malwares and spywares and some others. I want to use snort with out any accelerators. If I had to use one, is there any open-Source accelerator for snort? Another question that I have is about OS.I'm using Suse10.3, is it suitable for our security goals or other OS like cent-OS,open- BSD, .. are more secure? Thanks a lot for your helps. --- --- --- --------------------------------------------------------------------- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- throughput of snort usually(and with specific rules) d a (Apr 13)
- Re: [Snort-devel] throughput of snort usually(and with specific rules) Jules Disso (Apr 13)
- Re: throughput of snort usually(and with specific rules) L0rd Ch0de1m0rt (Apr 13)
- Re: [Snort-users] throughput of snort usually(and with specific rules) Joel Esler (Apr 13)