Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort sp for 10GE link

From: Martin Holste <mcholste () gmail com>
Date: Thu, 25 Aug 2011 08:34:35 -0500
None of the GPU-based stuff is ready for primetime.  There was a
project a few years ago called Gnort which used GPU's, but that ended
and code was never released.  As you've pointed out, Suricata's GPU
implementation is not efficient and therefore not an option.

You can do software load balancing of Snort with PF_RING.  I have a
short write-up on how to do this here:
http://ossectools.blogspot.com/2011/07/running-load-balanced-snort-in-pfring.html
.  My general rule of thumb is you need 1 CPU per 1000 rules per 100
Mbit of traffic, so at 1000 Mbit, you can only run 10 rules per CPU.
However, at that speed, the preprocessor performance becomes a major
factor.  At 10 Gbit, you are down to 1 rule per CPU, assuming that
your preprocessors (like HTTP, DCE, etc.) can keep up (which they
cannot).  So, you may be able to inspect 10 Gbit of DCE/SMB traffic,
but I doubt you can inspect 10 Gbit of HTTP or SMTP traffic at
wirespeed.

If you really have a saturated 10 Gbit connection, you are probably
better off with a hardware load-balancer and setting up a cluster of
machines.  A much better approach would be to limit the scope of the
traffic you want to inspect to get it down to more like 1-2 Gbps,
which is still quite a challenge to inspect without drops, even with a
very limited rule set.

On Thu, Aug 25, 2011 at 7:45 AM, ahmad reza noroozi
<ahmadrezanoroozi () gmail com> wrote:

I am to make an IDS for 10GE links
I was used snort for recent years
I want to know everybody has performance testing for snort sp for high
bandwidth?
can it to handle above 5000,000 concurrent session at hig speed
rate(for example in stream5 processors)
as you may know suricata is able to use from GPU but multithreading in
it is not efficient.
I want to use from GPU (graphic processing unit) tesla cards to
accelerate snort for 10GE link. is there any performance testing for a
multiple core system speed up for snort sp?
is it better to accelerate with GPU or with multi core system?

I am very interesting to Martin Roesch and happy to he also answer me

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: