Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-devel] throughput of snort usually(and with specific rules)

From: Jules Disso <jules () visionintel com>
Date: Tue, 13 Apr 2010 09:26:12 +0100
Hi there, 

I suggest you start review the various paper on snort performance. Also,
it could be a good idea to run some of the experiments yourself. The
performance of a software heavily depends on the system on which it
runs. If you know the type of system you intend to have snort on, it
would be best to replicate that system (or close enough) to see that
will be the real performance. 

Also, Snort performance depends on the configuration that you are using.
What are you trying to protect? Do you need to have all the preprocessor
on? Which one do you need? etc.

Hope this helps.
Jules


On Tue, 2010-04-13 at 00:33 -0700, d a wrote: 

Hi, everybody

In a security project I want to make an IDS/IPS System based on snort but I have to satisfy employer and investors 
for my choice about Snort.

One of the problem that I have is about the input traffic rate/throughput that snort can support and analyze with a 
good performance(Low CPU usage and packet drop).I know that it depends on a number of factors like the configuration 
of the system and which rules we are running as well as the underlying hardware and the OS configuration, But I want 
to know the normal range of its throughput.
Some where I read somebody wants to use it for 1-2 gb/s rate of traffic. Dose snort really works for xgb/s rate of 
input traffic without so much drop and high CPU usage?

In a book about snort that published in 2003(Intrusion detection with Snort By Jack Kozio ) that I think it's talking 
about snort-2.2  was wrote that snort works for 100Mb correctly and starts to loss packets in 200-300 Mb and can not 
run at traffic level higher than 500Mb. Does any body know about these numbers for snort-2.8.5?


The specification of my system that snort sensor is running on:
CPU : Intel core 2 duo 2.8GHz
RAM: 2-4 gig DDR2 KINGMAX
Hard:300 gig maxtor SATA
3 Ethernet Port 10/100

The network that I want to use system for includes more than 150 systems with a traffic rate of 200 Mb/s or more.

and the snort configuration that I need includes:

enabling  preprocessors , and enabling rules to detect web & CGI attacks, Phishing attacks , malwares and spywares 
and some others.


I want to use snort with out any accelerators. If I had to use one, is there any open-Source accelerator for snort?


Another question that I have is about OS.I'm using Suse10.3, is it suitable for our security goals  or other OS like 
cent-OS,open-BSD, .. are more secure?


Thanks a lot for your helps.


      

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: