Snort mailing list archives
Re: throughput of snort usually(and with specific rules)
From: d a <xstoneheartx () yahoo com>
Date: Tue, 13 Apr 2010 11:26:26 -0700 (PDT)
Hi, Thanks for your attention. Sorry for that mismatch. I used Ethernet 10/100 because I thought that the traffic rate for snort should be under 100Mb to works perfectly, But actually I want to use Ethernet 10/100/1000 for my need of 200Mb traffic rate if snort can support it. I want to use my box to protect network of a place like university. I want to use snort for both IDS and IPS modes. What can I do to detect phishing attacks in my IDS/IPS box. Can use of ClamAv with snort be helpful? Any help will be appreciated. --- On Tue, 4/13/10, rmkml <rmkml () free fr> wrote:
From: rmkml <rmkml () free fr> Subject: Re: [Snort-users] throughput of snort usually(and with specific rules) To: "d a" <xstoneheartx () yahoo com> Cc: rmkml () free fr Date: Tuesday, April 13, 2010, 12:38 PM Hi, excuse me, you have writted: "3 Ethernet Port 10/100" but you have writted: "...with a traffic rate of 200 Mb/s or more" You have 200Mb/s with 100 network interface? another point: you need a ids ? (detection only) or a ips ? (inline blocking) because it's more different... Regards Rmkml On Tue, 13 Apr 2010, d a wrote:Hi, everybody In a security project I want to make an IDS/IPS Systembased on snort but I have to satisfy employer and investors for my choice about Snort.One of the problem that I have is about the inputtraffic rate/throughput that snort can support and analyze with a good performance(Low CPU usage and packet drop).I know that it depends on a number of factors like the configuration of the system and which rules we are running as well as the underlying hardware and the OS configuration, But I want to know the normal range of its throughput.Some where I read somebody wants to use it for 1-2gb/s rate of traffic. Dose snort really works for xgb/s rate of input traffic without so much drop and high CPU usage?In a book about snort that published in 2003(Intrusiondetection with Snort By Jack Kozio ) that I think it's talking about snort-2.2 was wrote that snort works for 100Mb correctly and starts to loss packets in 200-300 Mb and can not run at traffic level higher than 500Mb. Does any body know about these numbers for snort-2.8.5?The specification of my system that snort sensor isrunning on:CPU : Intel core 2 duo 2.8GHz RAM: 2-4 gig DDR2 KINGMAX Hard:300 gig maxtor SATA 3 Ethernet Port 10/100 The network that I want to use system for includesmore than 150 systems with a traffic rate of 200 Mb/s or more.and the snort configuration that I need includes: enabling preprocessors , and enabling rules todetect web & CGI attacks, Phishing attacks , malwares and spywares and some others.I want to use snort with out any accelerators. If Ihad to use one, is there any open-Source accelerator for snort?Another question that I have is about OS.I'm usingSuse10.3, is it suitable for our security goals or other OS like cent-OS,open-BSD, .. are more secure?Thanks a lot for your helps.
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: throughput of snort usually(and with specific rules) d a (Apr 13)
- Re: [Snort-sigs] throughput of snort usually(and with specific rules) Joel Esler (Apr 13)