Re: Benchmarking snort

[Bennett Todd <bet () rahul net>]

Some general comments.

Tcpreplay <URL:http://tcpreplay.sf.net/> is designed specifically
for benchmarking NIDSes.

Specific detailed answers to your questions are going to be
outlandishly dependant on exact versions of snort, exact versions of
rules sets, tuning of the many critical customization variables
(HOME_NET, EXTERNAL_NET, *_SERVERS, *_PORTS), preprocessor configs,
bpf tuning, libpcap implementation tuning, OS version, and platform.

To find real hard answers I'd recommend

- tuning snort as well as you can, working with the latest version;

- working on the OS you love the best, on the best platform you can
  afford;

- benchmarking with tcpreplay; and finally

- fiddling.

Don't spend too awfully much effort on details, nail your answers
within a factor of 5 or so and stop worrying, Moore's law hasn't let
go of this neighborhood yet.

Here's a rough figure of merit to consider: untuned snort 1.9, on
cheap (PCI bus) commodity PC with >1GHz P3 or better and >=512MB
RAM, and a good NIC, can handle 50MBps without breaking a sweat, and
can be tuned to something well over 100Mbps with sufficient care and
precision. 2.0 is way faster. You can get much faster platforms
today.

-Bennett

Attachment: _bin
Description: