Snort mailing list archives

Snort on large loads.

From: "Wedge Breaker" <wedgebreaker () crackdealer com>
Date: Tue, 11 Dec 2001 12:31:39 -0800

Well I know that several large commercial sites are using snort on OC-12's
at 622 Mbps on xeons without packet loss according to their claims


Really?  That's a LOT of traffic!  I didn't realize Snort was that fast - I did some testing a while ago w/ Snort 
(1.8.1 I think) and my tests didn't show that kind of capability.  I'm running Snort now at my job at around 60Mbit/s 
sustained and 120Mbit/s peaks and I'm dropping stuff now and then.  This is a PIII 800-something w/ 256M RAM and 
rocking Intel Gig card so it's no slouch in the hardware department.  I definitely love Snort, but man, 600+ Mbit/s is 
a BIG matzo ball to swallow.

, so I 
wouldn't expect any issues with T3/DS3/OC1 at 45Mbps on modern hardware 
or even saturated fast ethernet at 100Mbps.  45 Mbps should barely make 
your snort sensor break a sweat.


Any caveats with this claim?  I would think that 45Mbit/s of all web traffic could cause some trouble.  Especially if 
you are doing protocol analysis to catch unicode type stuff.  I'm not trying to sound blasphemic (honest!) - it's just 
that as an IDS admin for several years, I can say that my experience doesn't support these claims.  Snort or otherwise, 
which leads me to...

 Your mileage with other IDSes may vary :-).


Heh, heh, not going to argue with you there.  I just read an article the other day where that joker Gula said they were 
having problems with like 300Mbit/s.  I've worked w/ Dragon a little and found it to be fairly fast...  Has anyone 
really put them to pace to see which is faster?

I think, as all the IDS vendors will eventually discover and the trade press
will someday clue into, at higher rates, the problems do not lie only in the 
IDS software per se, as much as the interface drivers and OS architectures
and that oh so fun PCI transfer and DMA interrupt bottleneck.


Hm.  I've always thought that protocol analysis was much harder than sniffing traffic on a 64-bit PCI bus Gig card.  
I'm no programmer, so maybe I'm wrong?

Honest Dragos, I'm not trying to attack you, just asking for some clarification on these claims...

wb

------------------------------------------------------------
[- Get your own free e-mail @ http://www.crackdealer.com -]

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on large loads. Wedge Breaker (Dec 11)
- Re: Snort on large loads. ... (Dec 11)
- <Possible follow-ups>
- RE: Re: Snort on large loads. Wedge Breaker (Dec 12)
- RE: Re: Snort on large loads. Robert D. Hughes (Dec 12)