Re: throughput of snort usually(and with specific rules)

[d a <xstoneheartx () yahoo com>]

Hi,
Thanks for your attention.
Sorry for that mismatch. I used Ethernet 10/100 because I thought that the traffic rate for snort  should be under 
100Mb to works perfectly, But actually I want to use Ethernet 10/100/1000 for my need of 200Mb traffic  rate if snort 
can support it. I want to use my box to protect network of a place like university.
I want to use snort for both IDS and IPS modes.
 
What can I do to detect phishing attacks in my IDS/IPS box. Can use of ClamAv with snort be helpful?

 
Any help will be appreciated.

--- On Tue, 4/13/10, rmkml <rmkml () free fr> wrote:

> From: rmkml <rmkml () free fr>
> Subject: Re: [Snort-users] throughput of snort usually(and with specific rules)
> To: "d a" <xstoneheartx () yahoo com>
> Cc: rmkml () free fr
> Date: Tuesday, April 13, 2010, 12:38 PM
> Hi,
> excuse me, you have writted: "3 Ethernet Port 10/100"
> but you have writted: "...with a traffic rate of 200 Mb/s
> or more"
> You have 200Mb/s with 100 network interface?
> another point: you need a ids ? (detection only) or a ips ?
> (inline blocking) because it's more different...
> Regards
> Rmkml
>
>
> On Tue, 13 Apr 2010, d a wrote:
>
> > Hi, everybody
> > In a security project I want to make an IDS/IPS System
> based on snort but I have to satisfy employer and investors
> for my choice about Snort.
> > One of the problem that I have is about the input
> traffic rate/throughput that snort can support and analyze
> with a good performance(Low CPU usage and packet drop).I
> know that it depends on a number of factors like the
> configuration of the system and which rules we are running
> as well as the underlying hardware and the OS configuration,
> But I want to know the normal range of its throughput.
> > Some where I read somebody wants to use it for 1-2
> gb/s rate of traffic. Dose snort really works for xgb/s rate
> of input traffic without so much drop and high CPU usage?
> > In a book about snort that published in 2003(Intrusion
> detection with Snort By Jack Kozio ) that I think it's
> talking about snort-2.2  was wrote that snort works for
> 100Mb correctly and starts to loss packets in 200-300 Mb and
> can not run at traffic level higher than 500Mb. Does any
> body know about these numbers for snort-2.8.5?
> > The specification of my system that snort sensor is
> running on:
> >   CPU : Intel core 2 duo 2.8GHz
> >   RAM: 2-4 gig DDR2 KINGMAX
> >   Hard:300 gig maxtor SATA
> >   3 Ethernet Port 10/100
> > The network that I want to use system for includes
> more than 150 systems with a traffic rate of 200 Mb/s or
> more.
> > and the snort configuration that I need includes:
> > enabling  preprocessors , and enabling rules to
> detect web & CGI attacks, Phishing attacks , malwares
> and spywares and some others.
> > I want to use snort with out any accelerators. If I
> had to use one, is there any open-Source accelerator for
> snort?
> > Another question that I have is about OS.I'm using
> Suse10.3, is it suitable for our security goals  or
> other OS like cent-OS,open-BSD, .. are more secure?
> > Thanks a lot for your helps.


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users