Snort mailing list archives

Re: Query about the performance

From: Martin Holste <mcholste () gmail com>
Date: Thu, 9 Jun 2011 08:35:04 -0500

Only 64 rules is a very small number, so you'd have a fighting chance.
 However, at 10 gig line rate, it would be a challenge to run any
application and ensure no drops.  A lot will depend on the NIC at that
point.  I would definitely recommend buying some of the nicer Intel
NIC's that offload a lot of the TCP functions.

Has anyone on this list run inline Snort on 10 gig line rate?  A lot
of things can go wrong at that speed.

On Thu, Jun 9, 2011 at 2:59 AM, Gaurav Suryagandh
<gaurav.suryagandh () calsoftinc com> wrote:

Basically with a fairly good quality of hardware ( 96GB RAM and couple
of multi-core processors)

will i be able to capture at line rate of 10Gbps with finite number of
rules around (64- spanning across, L2, L3 and application)?

Thanks,
Gaurav

On 06/08/2011 08:58 PM, Steven Sturges wrote:

I'm not entirely sure of what you are trying to do, so it is tough
to answer specifically.

The capture rate is affected by a number of factors -- speed of
the hardware, drivers, kernel, DAQ module being used, etc.

Beyond the above, the performance of Snort itself is also affected
by the number of rules, memory settings, etc.

Snort is definitely capable of looking at packets in the context of
other packets in the flow leveraging Stream and/or flowbits.

On 6/8/11 5:54 AM, Gaurav Suryagandh wrote:

Hi All,

I am trying to incorporate snort in my application for packet filtering.

I have two questions regarding the same.

1) how much is snort's packet capture rate ?

2) Can we filter packets based on flow ?

Thanks,
Gaurav

------------------------------------------------------------------------------

EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Query about the performance Gaurav Suryagandh (Jun 08)
- Re: Query about the performance Jeff Murphy (Jun 08)
- Re: Query about the performance Steven Sturges (Jun 08)
  - Re: Query about the performance Gaurav Suryagandh (Jun 09)
    - Re: Query about the performance Jeff Murphy (Jun 09)
    - Re: Query about the performance Martin Holste (Jun 09)
    - Re: Query about the performance Jeff Murphy (Jun 09)