Re: SNORT Testing

[Stefano Zanero <zanero () elet polimi it>]

Terry Vernon wrote:
> I've been doing some benchmarking lately on snort packet loss and have found
> great success using netstrain to load the line. 

"loading the line" with meaningless traffic is meaningless.

A complex system such as Snort behaves differently depending on the
traffic mix, on the rate of connections, on the type of protocols, on
the type of loaded signatures, etc.

> detection right now as much as I am squeezing every last drip of performance
> out.

Well, deactivate all signatures, that would help considerably *giggle*

Apart from jokes, testing "packets per second throughput" is very much
what you DON'T want to do, for a number of reasons I won't repeat here.
Look in previous threads, look in my presentation at BH Fed, look up
Marcus Ranum's guides to IDS testing, look up Bob Walder's comments in
earlier threads, look up Dave Aitel's inputs... basically, look it up on
the archives.

> check the dropped packets percentage and modify things trying to get it
> smaller and smaller. 

This is something which is only partially related to throughput... (see
any basic test on queueing networks theory)

> It's not an exact method but works for me

How can you say "it works" ? It doesn't. It cannot work. It is what you
are doing, and killing time, fine enough. But it doesn't actually do
anything useful. Any output of this method is meaningless.

> That's how I test snort without spending a dime.

Sometimes, what you spend is related with what you get. You are, more or
less, killing time, nothing more.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------