Snort mailing list archives
Re: How much can snort Snort?
From: Mipam <mipam () ibb net>
Date: Tue, 16 Apr 2002 01:43:27 +0200
On Mon, Apr 15, 2002 at 05:13:35PM -0600, Phil Wood wrote:
On Mon, Apr 15, 2002 at 02:47:33PM -0700, Kevin L Pawloski wrote:I've seen several discussions about gig interfaces lately but I haven't seen any recent posts about benchmarks for gig snorting performance of late. How much traffic can a Snort box pull w/o dropping a high amount of packets? I'm more concerned about the box's performance and not any issues with the actual gig interface itself.Depends on the rule sets, the cpu's, the libpcap implimentation, and the actual traffic mix on the Gig interface (among other things like disk, and what kind of post processing you might be doing). It might be useful to come up with a standard performance analysis configuration: 1. hardware description (cpu(s), memory, bus speeds, disk features) 2. characterization of actual traffic (sometimes available via snmp queries from routers involved, or, if using my libpcap you could get fairly precise stats, or on linux, you could watch the interface stats by iterating on the contents of /proc/net/dev, ...). 3. standard, cast in stone rule set. 4. output to pcap file only (no other output plugins involved) 5. 5 days (Monday through Friday). 6. software involved: libpcap version, snort version, ? 7. more stuff? If I just collect the first 68 bytes of IP (tcp, udp, and icmp) packets using tcpdump I can lose packets or not up to 100 Mbps.
Nice answers and i agree, though, with tcpdump, which i also love to use, i mostly use the -n so no names are resolved, it helps a lot. And using the -w option helps, though .... you need to have fast disks, and a good implementation on how to use 'm and a nice fs to cope with gigabit or more, basically, also kernel stuff is so important as many other things which you describe :-) In general i guess, deploying ids machines is an art on itself and requires a lot of tweeking aside from writing the rulesets itself. Though, the same holds for firewalls, routers etc :-) Bye, Mipam. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How much can snort Snort? Kevin L Pawloski (Apr 15)
- Re: How much can snort Snort? Phil Wood (Apr 15)
- Re: How much can snort Snort? Mipam (Apr 15)
- Re: How much can snort Snort? Roelof JT Jonkman (Apr 15)
- Re: How much can snort Snort? Phil Wood (Apr 15)