Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort on-line detection rate?

From: Erek Adams <erek () snort org>
Date: Wed, 14 May 2003 11:30:30 -0400 (EDT)
On Wed, 14 May 2003, [gb2312] 方 磊 wrote:


I am a rookie in snort. I want to test the on-line detection capacity of
snort.I have twp computers connected directly. The traffic producer run
a tcpreplay with a tcpdump data on rate 100Mbps at first. But I find
that snort1.9.1 drop most packets with 1310 rules. Only when I change
the rate to about 5Mbps, do snort can detect most packets. My snort
sensor runs on Intel 2.4G 512MB RAM and Linux 9.0. What is the
approximate rate of snort's on-line detection capacity with all its
ruleset?


A few points:

*  Linux 9?  No such animal.  Do you mean RedHat 9?  Remember RedHat !=
Linux....

*  Use Snort 2.0 instead of 1.9.1.  The detection engine has changed and
it's much quicker now.

*  Never, Never, Never, EVER use all the rules.  For a _real_ test, you
should tune your ruleset to a smaller set of rules, the same way you would
in a production setup.  The default rules aren't there so they can all be
turned on, they are there to give a 'default' set from which you can pick
and choose what you need, or modify to fit your network.

*  What kind of NIC do you have in your sensor?  Is your driver current?
Bad drivers can be a major reason of dropped packets.  Can you send
100mbs without getting dropped packets from the OS itself?

*  Most networks aren't going to have 100mbs of sustained traffic.  You
have to keep in mind the 'ethernet knee' [0] goes from (roughly) 25%-40%.
At that point, your retransmissions start to degrade the performance of
the network.  Realistic loads on a 100mbs net would be more from 25-40mbs
with that in mind.

*  How are you running Snort?  The command line switches and the contents
of the .conf file will make a large impact upon how fast it can detect and
alert.

*  What kind of an I/O subsystem are you on?  IDE?  EIDE?  SCSI?  IDE is
the slower, while SCSI is the faster of those.


Here's something to consider:  There are people on (and off) this list who
are using Snort in GigE situations--With little or no dropped packets.
Anyone in that group care to comment?

Snort is a quick little piggy--You just can't expect him to be quick if
you overfeed (too many rules) him!  :)

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=ethernet+knee


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: