Snort mailing list archives

Re: SourceFire Appliance 3D9900 capabilities

From: Martin Holste <mcholste () gmail com>
Date: Thu, 14 Apr 2011 10:53:43 -0500

Anecdotally, I'm sending 2Gbps through 5 snort processes using Endace cards. I have 450 rules (with some sort of 
content matching, pcres) as well as a few in house rules that match about 400 addresses only (no content matching). 
I'm running the stock snort.conf from 2.9.0.5 with the exception that I've increased the memcap for stream5. I see 
~0.5% dropped. So in theory I should be able to handle 10 Gbps with 25 snort processes. The machine can handle around 
32 and uses internal load balancing to spread the traffic out.


Cool--thanks for the anecdote.  Of course there are a ton of factors
that go into how a sensor performs and you can't get overly
scientific, but on traffic that is primarily web requests to your
basic Internet sites (google, facebook, etc.), traffic looks and
behaves very similarly, so I think comparisons are valuable.
Server-bound traffic into your web servers is an entirely different
animal, and there all bets are off.

I have an older Endace card that only allows two streams, so I've not
been able to experiment much with DAG load balancing.  So you're doing
5 CPU = 2000 Mbps * 450 rules, which is pretty close to my
guestimation formula which would predict needing (4 * 500 Mbps) * (.5
* 1000) rules = 4 * .5 = 2.  The higher traffic rates will obviously
increase the Stream5 overhead significantly, so I wonder what CPU
utilization you'd see if only running preprocs at 2Gbps.

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

using snort for an IDS/IPS appliance, (continued)
- using snort for an IDS/IPS appliance d a (Apr 05)
  - Re: using snort for an IDS/IPS appliance matan monitz (Apr 05)
    - Re: using snort for an IDS/IPS appliance d a (Apr 05)
    - Re: using snort for an IDS/IPS appliance Nigel Houghton (Apr 05)
    - Re: using snort for an IDS/IPS appliance d a (Apr 06)
    - Re: using snort for 10Gbps traffic rate d a (Apr 08)
    - Re: using snort for 10Gbps traffic rate Martin Holste (Apr 08)
    - SourceFire Appliance 3D9900 capabilities d a (Apr 14)
    - Re: SourceFire Appliance 3D9900 capabilities Jason Wallace (Apr 14)
    - Re: SourceFire Appliance 3D9900 capabilities Jeff Murphy (Apr 14)
    - Re: SourceFire Appliance 3D9900 capabilities Martin Holste (Apr 14)
    - Re: SourceFire Appliance 3D9900 capabilities Joel Esler (Apr 14)